May 23-29, 2024 | Issue 21 - CICYBER
Janthe Van Schaik, Mihai Marian Calinoiu, Prim Thanchanok Kanlayanarak
Alya Fathia Fitri, Senior Editor
China-Linked Threat Actor Targets Caribbean Countries With Cyber Espionage Campaign[1]
Date: May 23, 2024
Location: The Caribbean
Parties involved: China; China-linked threat actor Sharp Panda; US; American-Israeli cybersecurity firm Check Point; The Caribbean countries; Puerto Rico; US Virgin Islands
The event: Sharp Panda targets governmental bodies and high-rank officials in the Caribbean countries as part of an espionage campaign.[2] Sharp Panda aims to enhance influence in the Caribbean region by employing Cobalt Strike Beacon and phishing attacks with compromised high-profile Southeast Asian email accounts to target government officials.[3] Cobalt Strike Beacon is a payload backdoor gaining control of compromised systems communicating the information to command and control.[4]
Analysis & Implications:
China-linked threat actors will almost certainly continue to target countries in the NORTHCOM region as part of espionage campaigns to obtain access to information that aligns with China’s interests including sensitive information on governmental strategic alliances and defense. The Caribbean countries will very likely cooperate with countries like the US to deter, detect, and defeat cyber attacks by training, equipment, and human resources to ensure cybersecurity in the region. Countries with advanced cybersecurity capabilities will likely notify vulnerable entities in the US Caribbean territories of Puerto Rico and the Virgin Islands of detected threats from Chinese actors, particularly governmental bodies, high-rank officials, and critical infrastructure organizations and companies in the telecommunication, financial, and industrial sectors.
Sharp Panda will very likely improve evasion methods by using reliant proxy networks to prevent detection in the infection of command and control (C2). The group will likely incorporate AI-enabled spear-phishing techniques targeting governmental officials in the Caribbean states to gain primary access to the systems by deploying adaptive malware to infiltrate governmental systems and gather information on target networks for future cyber attacks. The malware will likely conduct reconnaissance on the network layouts and systems defenses to tailor cyber attacks and data extractions, likely improving the group’s evasion techniques.
Date: May 27, 2024
Location: USA
Parties involved: Cybersecurity company Check Point; Cybersecurity and Infrastructure Security Agency (CISA); Cybersecurity companies; VPN service providers
The event: Check Point warned in an advisory that threat actors are targeting security gateways on old accounts with weak authentication by exploiting the Check Point Remote Access VPN.[5] Check Point is a cybersecurity company offering global cybersecurity services and solutions to customers including corporate businesses and government.[6]
Analysis & Implications:
Companies providing cybersecurity solutions such as Check Point will likely shift towards a zero-trust security model with a requirement for multi-factor authentication (MFA) for all VPNs, very likely joining efforts to increase research on the access verification methods. Cybersecurity companies will likely employ more skilled professionals as teams dedicated to monitoring, detecting, and responding to threats aimed at different layers of the network as malicious attempts are very likely to increase in the next coming months. Companies using VPNs will likely create internal awareness campaigns for employees about the importance of using the software for sensitive data protection on their computers and the company servers, along with VPN configuration instructions.
Threat actors will likely attempt to gain unauthorized access to other VPN service providers and SSH services using similar techniques to exploit weak authentication systems, but attack vectors and techniques will likely become more sophisticated as companies introduce new preventative measures. Government agencies such as CISA have a roughly even chance of responding to the threat with the introduction of new requirements for companies, especially those with government contracts, to mandate MFA on all internal and external user accounts to prevent password-based attacks. There is a roughly even chance that state-sponsored actors are behind the attempts to compromise Check Point’s internal network as part of a global trend in cyber espionage.
[1] Hacker, generated by a third party database
[2] New Frontiers, Old Tactics: Chinese Espionage Group Targets Africa & Caribbean Govts, The Hacker News, May 2024, https://thehackernews.com/2024/05/new-frontiers-old-tactics-chinese-cyber.html
[3] Ibid
[4] How does Cobalt Strike differ from traditional malware?, CSO, https://www.csoonline.com/smart-answers/?q=How%20does%20Cobalt%20Strike%20differ%20from%20traditional%20malware%3F&qs=article_cso_574143
[5] Hackers target Check Point VPNs to breach enterprise networks, Bleeping Computer, May 2024, https://www.bleepingcomputer.com/news/security/hackers-target-check-point-vpns-to-breach-enterprise-networks/#google_vignette
[6] Federal Cyber Security: Rising to the Challenges of a Constantly Shifting Landscape, Check Point, https://www.checkpoint.com/industry/government-federal-security/
Comentários