Chinese Hackers

[kyonides]

Exposing the shocking truth about popular apps with Chinese ties

The apps that are in question are VPN apps for iPhones and Androids that have parent companies based in China or other parts of Asia. VPNs are great, especially when you want to browse the web privately and safeguard against hackers, especially when you're traveling internationally.

However, some VPNs are capable of accessing the very information you want to keep private, including encrypted email content and banking information, and there are lots of popular ones out there that have misled their customers.

TurboVPN is a popular VPN app, especially among Android users. However, the app has had multiple Chinese nationals as directors and was found by AppEsteem to be installing root certificates, which allowed them to tell the computer to trust any application that it authorized.

Signal Lab is another company that owns multiple top VPN apps, and that company's exact location is unclear. However, in its terms of service, they reserve the right to monitor any user’s activity for anything suspected of being objectionable, which pretty much means they can look into anything you're doing whether you expect privacy or not.
...
Study up on a VPN's privacy policies and see where its parent companies are based. See how many reviews a particular app you're looking at has and make sure it's from a legit source like the iOS App Store or the Google Play Store.

[kyonides]

Former ByteDance Executive: China Has ‘Supreme Access’ to All TikTok Data

Yintao “Roger” Yu, a former head of engineering at Bytedance in the United States, says the CCP had a special office inside the company, called the “Committee,” which monitored Bytedance and its TikTok subsidiary and “guided how it advanced core Communist values,” according to the complaint obtained by CNN.

“The Committee maintained supreme access to all the company data, even data stored in the United States,” Yu’s wrongful termination lawsuit, which was filed on Friday in Superior Court in San Francisco, read.

The suit also claims that Bytedance made user data accessible to the CCP via a backdoor channel, and that it didn’t matter where the in the world the data was located.

Yu also said that he had witnessed Bytedance being “responsive to the CCP’s requests” to share, elevate, and even remove content. The former executive also described the Chinese tech company as “useful propaganda tool” for Beijing’s communist leaders.

In his complaint, the ex-ByteDance employee, who was dismissed by ByteDance in November 2018, also alleged that the Chinese company dismissed him after he flagged illegal activity, according to a report by Reuters.

Yu says he told management he was concerned over the company taking user content from other platforms, such as Instagram and Snapchat, and that management told him to hide the illegal program, especially from employees in the United States, as the country has stricter laws.

The former executive says ByteDance engaged in a “worldwide scheme to steal and profit from the content of others” without asking permission.

Yu is now seeking a court order that would ban ByteDance from scraping content from other social media platforms.
...
ByteDance is also known for obtaining the private user data of U.S. journalists. Earlier this month, it was revealed that the Chinese company had also secretly tracked a UK journalist via her cat’s TikTok account, which didn’t even have her real name on it.

if doesn't qualify as the ultimate hack where you don't even realize that you've been hit by their malware, I don't know what does then.
And nope, they don't care about your privacy. Not even your nicknames will help get out of it.

[kyonides]

Chinese Hackers’ Attack on Key US Bases on Guam Is Part of Unrestricted Warfare

In response to the Five Eyes Coalition’s discovery of a Chinese hacker attack on American military bases in Guam, a U.S. military expert told The Epoch Times that the Chinese Communist Party (CCP) is either rehearsing for an impending war or has already launched some form of war against the United States.

Together with various cybersecurity agencies under the Five Eye alliance, Microsoft released details of the covert malware attack on May 24.

The attack was carried out by Beijing-sponsored hacker group codenamed “Volt Typhoon” and relied on “living-off-the-land techniques,” according to the Microsoft report.

“Volt Typhoon has been active since mid-2021 and has targeted critical infrastructure organizations in Guam and elsewhere in the United States,” it said.

Microsoft believes that the hackers are “pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises.”

The organizations affected include communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors, as identified by the report.

Security experts observed that the hackers intended to perform spying activities and maintain access for as long as possible without being detected.
...
[Carl Schuster, a retired Navy captain and former director of operations at U.S. Pacific Command’s Joint Intelligence Center] speculated that the hacking was carried out by the strategic support force of the Chinese People’s Liberation Army.

Located in the Western Pacific, Guam is one of the four unincorporated organized territories of the United States. It is home to three military bases, including Andersen Air Force Base, Naval Base Guam, and Apra Harbor Naval Base. These bases have played significant roles in major conflicts, such as World War II, the Korean War, and the Vietnam War.

Schuster said Guam is a major strategic hub for the United States.

..."It’s also the island on which we would stage most of the support if we had to come to the Philippines defense or even Taiwan,” he explained.

Schuster believes that the hacking operation has similarities with the spy balloon incident, and both are treading in the gray area.

He said he believes they are testing the United States.
...
Experts suggest that flying spy balloons over the U.S. airspace and hacking key military infrastructure are both part of the CCP’s Unrestricted Warfare strategy, a concept developed by former Chinese Air Force Majors General Qiao Liang and Wang Xiangshui in their 1999 book “Unrestricted Warfare.” They claim unrestricted warfare employs all means, including economic warfare, cyber attacks, and terrorism.

[kyonides]

Chinese Hackers Breached Hundreds
of Public and Private Networks, Investigation Concludes

Suspected state-backed Chinese hackers used a security hole in a popular email security appliance to break into the networks of hundreds of public and private sector organizations globally, nearly a third of them government agencies, including foreign ministries, cybersecurity firm Mandiant said Thursday.
...
The hack exploited a software vulnerability in Barracuda Networks’ Email Security Gateway, compromising tens of thousands of computers globally.

The hacking began on Oct. 10, 2022, but the intrusions were only discovered by Barracuda on May 19, 2023. Counter-measures were promptly taken.

In response, the hackers immediately altered their malware and employed persistent, high frequency hacking attacks, targeting a number of victims located in at least 16 different countries.
...
In an emailed statement Thursday, Barracuda said about 5 percent of its active Email Security Gateway appliances worldwide showed evidence of potential compromise. The company stated that it was providing replacement appliances to affected customers at no cost.

Mandiant’s investigation concluded with “high confidence” that the hackers were an organized team engaged in “espionage activity in support of the People’s Republic of China,” calling the hacking team an “aggressive and highly skilled actor.”

The hackers sent emails containing malicious file attachments to gain access to targeted organizations’ devices and data, Mandiant said. Of those organizations, 55 percent were from the Americas, 22 percent from Asia Pacific, and 24 percent from Europe, the Middle East, and Africa combined. Targets included foreign ministries in Southeast Asia, foreign trade offices, and academic organizations in Taiwan and Hong Kong, the company said.

Mandiant explained the majority impact in the Americas due to it being Barracuda’s main customer base.

The hackers operated at both the organizational and individual account levels and focused on issues that are high policy priorities for China, particularly in the Asia Pacific region, Mandiant said. The hackers searched for email accounts of people working for governments of political or strategic interest to China at the time they were participating in diplomatic meetings with other countries.

[kyonides]

Microsoft’s Contract With Government Agencies
Under Fire Following Chinese Cyber Attacks

After Chinese hackers were able to hack into U.S. government email accounts last week, Microsoft’s security systems are now under fire from Congress.

A cyber gang based in China was accused of stealing emails from senior U.S. officials in a major security breach through a weakness in Microsoft MSFT.O software.

The attacks were allegedly able to access the email accounts of top State Department employees and U.S. Commerce Secretary Gina Raimondo, the Cybersecurity and Infrastructure Security Agency announced on July 12.

Federal agencies detected a breach in the two agencies’ accounts “fairly rapidly” and managed to prevent further breaches, White House National Security Adviser, Jake Sullivan, told ABC’s “Good Morning America.”

Microsoft said that the breach took advantage of a still-undisclosed security issue with the company’s online email service and not through hacking computers or stealing passwords.

The tech firm accused “Storm-0558,” a Chinese hacking outfit, of forging digital authentication tokens to access email accounts running on the firm’s Outlook service starting in May.

The group has also focused on espionage against governments in Europe and has accessed the cloud-based Outlook email systems of 25 organizations, including multiple government agencies in the EU.

Beijing’s embassy in the U.K. told Reuters that the latest accusations are “disinformation” and called the United States “the world’s biggest hacking empire and global cyber thief.”
...
Microsoft acknowledged the hack in a July 11 blog post, admitting that “accountability starts with us” and that it was “continually self-evaluating, learning from incidents,” and improving its cyber defenses.

Members of Congress have been raising concerns for months over government departments’ increasing reliance on Microsoft for cybersecurity tools and services.
...
Senator Ron Wyden (D-OR) said that Microsoft should offer all its customers full forensic capabilities, saying that “charging people for premium features necessary to not get hacked is like selling a car and then charging extra for seatbelts and airbags.”

Congressional legislators have also complained that the move shuts out other vendors and use of off-the-shelf security software could pose a risk.

Last month, Newsweek reported that several key leaders in the Department of Defense had opposed a decision last year to scrap an existing cybersecurity program that was open to competition.

The Pentagon replaced the program with Microsoft’s in-house security tools, which are typically offered with its business software packages and cost taxpayers $543 million.
...
The Maryland congressman also asked whether the deal made the U.S. military dependent on a single IT provider, whose software may be inferior to rivals, while the operational costs rise over time.
...
However, smaller competitors have accused Microsoft of squeezing them out of the market through lucrative contracts and creating a monopoly over the cybersecurity sector.

Rival firms warn that the company’s growing lock on the market and the favoritism that it receives from the private and public sectors are putting too many eggs into one basket and endangering security.

Well, MS loves to get involved in mergers and monopolies for sure.

[kyonides]

TikTok Tells Inquiry China-Based Employees
Can Make Changes to Algorithm

TikTok officials have admitted to an Australian government inquiry that China-based employees can change the social media app’s algorithm.

This is the first time officials from the company have made the admission, which has raised increasing questions about the reach of the Chinese regime into foreign societies through the app.

Appearing before the Select Committee on Foreign Interference Through Social Media Inquiry, TikTok’s Security Officer Will Farrell, under questioning, admitted employees of TikTok based in China could adjust the algorithm.

“They can make changes, which will then go under a security review to make sure those changes are acceptable,” Mr. Farrell said.
...
“It means that the long arm of the Chinese state can reach into the heart of the Australian democracy and influence a platform which is an increasing source of news and information about the world for young people,” Senator Paterson told Sky News.

“Now, if they’ve got control over that app, what is on it and also what data it collects on its users. That’s a very powerful tool that they can wield against us, and I’m very concerned about the implications of that for Australians.”

Senator Paterson said that the admission would mean that the inquiry, which is due to deliver its findings on Aug. 1, will have to make some “very tough recommendations to the government about confronting this problem.”
...
TikTok is owned by the Chinese company ByteDance which publicly acknowledges it is headquartered in Beijing.

While the Chinese Communist Party (CCP) has no official stake in the company, it does hold a one percent stake in its Chinese version of TikTok, Douyin, under the sovereign wealth fund, which is also publically available information.
...
The senate inquiry comes as governments around the world become more apprehensive about the national security concerns stemming from the app’s access to personal data, which experts argue could be handed over to the CCP under the its National Intelligence Law of 2017.

This has led to 16 countries, including Australia, the UK, the U.S., and the EU, to ban the app from government devices.

However, TikTok officials denied this would ever occur, with [TikTok Australia’s Director of Public Policy Ella] Woods-Joyce stating that the company would not hand over data if asked.
...
However, Senator Paterson noted that under the National Intelligence Law, any Chinese employee of TikTok who was asked to access Australian user data would be obligated to keep the request quiet due to the “strict confidentiality requirements that are imposed on individuals who are assisting the work of intelligence agencies.”

 Of course, if nobody's able to speak up, "it never happened", and nobody else will ever learn about it, right?

[kyonides]

Chinese APT41 Group Attack Android Devices
With WyrmSpy and DragonEgg Malware

A Chinese-based state-sponsored espionage group, APT41 targets Android devices through spyware wyrmspy and Dragon egg which masquerades as legit applications.

This group has been active since 2012 and targets both public and private sectors related to software development, hardware manufacturers, telecommunications, social media, video games, etc.

According to U.S. grand jury indictments from 2019 and 2020, the group was involved in compromising over 100 public and private organizations and individuals in the United States and around the world.
...
Initially, this malware imitates legitimate Android applications for showing notifications; once successfully installed on the user’s machine, it claims multiple device permission to enable data exfiltration.

Google confirmed that based on current detection, no apps containing this malware are found to be on Google Play.

Wyrmspy can collect log files, photos, Device location, SMS messages (read and write), and Audio recordings.

Utilizes known rooting tools to gain escalated privileges to the device and perform surveillance activities specified by commands received from its C2 servers.
...
This file tries to get and launch more functionality like WyrmSpy; the DragonEgg samples ask for many permissions for services that aren’t actually used in the main app.

Dragon Egg is also able to collect data like Device contacts, SMS messages, External device storage files, Device location, Audio recording, and Camera photos once it successfully compromises the device.

[kyonides]

Suspected Chinese Hack on US Government Worse Than Previously Thought

A recent cybersecurity breach of U.S. government emails may have reached further than initially thought, according to a new report by the cybersecurity firm Wiz.inc.

Earlier this month, Microsoft and U.S. government cybersecurity experts identified a breach of email systems tied to 25 organizations, including several U.S. government agencies. Microsoft attributed the security breach, which likely occurred in May, to a Chinese government-linked hacking group called Storm-0558. According to Microsoft, Storm-0558 obtained a private encryption key, known as an MSA key, and used it to forge access tokens for the Outlook Web Access (OWA) and Outlook.com services.
...
Reports have indicated that email accounts for U.S. Commerce Secretary Gina Raimondo were impacted, as were accounts belonging to U.S. Ambassador to China Nicholas Burns, and Assistant Secretary of State for East Asian and Pacific Affairs Daniel Kritenbrink.

At a July 12 press briefing, officials with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said that no sensitive information was stolen during the hack.

Microsoft assessed that the hack only impacted its Outlook.com and Exchange Online services.

On Friday, Wiz published its own assessment finding that the way the hack had taken place could indicate a larger breach than Microsoft or U.S. government officials have let on thus far.

“Our researchers concluded that the compromised MSA key could have allowed the threat actor to forge access tokens for multiple types of Azure Active Directory applications, including every application that supports personal account authentication, such as SharePoint, Teams, OneDrive, customers’ applications that support the ‘login with Microsoft’ functionality, and multi-tenant applications in certain conditions,” wrote Wiz researcher Shir Tamari.
...
Microsoft has denied Azure Active Directory applications have been harmed by the Storm-0558 hack.

In response to the Wiz report, a Microsoft spokesperson told NTD News: “This blog highlights some hypothetical attack scenarios, but we’ve not observed those outcomes in the wild. We recommend that customers review our blogs, specifically our Microsoft Threat Intelligence blog, to learn more about this incident and investigate their own environments using the Indicators of Compromise (IOCs) that we’ve made public.”
...
Sen. Ron Wyden (D-Ore.) said Microsoft should offer all of its full forensic capabilities to all of its customers, saying that “charging people for premium features necessary to not get hacked is like selling a car and then charging extra for seatbelts and airbags.”

Amid this pressure, Microsoft announced on July 19 that it would begin providing its standard Microsoft Purview Audit customers with “deeper visibility into security data, including detailed logs of email access and more than 30 other types of log data previously only available at the Microsoft Purview Audit (Premium) subscription level.”
...
“These steps are the result of close coordination with commercial and government customers, and with the Cybersecurity and Infrastructure Security Agency (CISA) about the types of security log data Microsoft provides to cloud customers for insight and analysis.”

[kyonides]

Previously unknown hacking group targets
Hong Kong organizations in supply chain cyberattack

A previously unknown hacking campaign targeted file protection, encryption and decryption software as part of a supply chain attack on unnamed targets in Hong Kong and other regions of Asia, according to an analysis published Tuesday.

Researchers with the Symantec Threat Hunter Team, part of Broadcom, dubbed the unknown actors behind the campaign “Carderbee” and said the group compromised a Cobra DocGuard software update file with the goal of deploying the Korplug backdoor (also known as PlugX), a widely used piece of malware.

The malware was signed with a legitimate Microsoft certificate, the researchers noted, which can make it much harder for security software to detect.

The campaign, which started in April 2023, was detected on roughly 100 computers across multiple organizations. Given that the Cobra DocGuard software — produced by the China-based EsafeNet, which itself is owned by the Chinese information security firm NSFOCUS — is only installed on roughly 2,000 computers, the “attacker may be selectively pushing payloads to specific victims,” the researchers said.
...
Originally limited to Chinese-related hacking campaigns, PlugX is now widespread enough that conclusive attribution is not possible, the researchers said. Nevertheless, Cobra DocGuard update files were compromised to target a Hong Kong-based gambling company in September 2022, according to ESET, by a Chinese-linked hacking effort tracked as LuckyMouse (also known as APT27, Emissary Panda and Bronze Union). That campaign also delivered a variant of the Korplug malware.

The similar tactics, techniques and procedures hint at a Chinese connection, even if full attribution isn’t yet possible. “The Korplug back door is usually used by China-linked APT groups,” said Brigid O. Gorman, a senior intelligence analyst with Symantec. “In addition to this, the targeting is in line with what we’ve seen from China-linked groups in the past. As stated in the blog there are also some similarities between this activity and previous activity carried out by the Budworm (aka APT27) group.”

Gorman declined to elaborate on the victims in this particular campaign, but noted that although there were some victims throughout south and southeast Asia, “it appears organizations in Hong Kong were the main targets in this campaign.”

Normally one would think that any Chinese hacker would have no interest in targetting a Chinese province. Yet, they have been treating Hong Kong as a rebellious region for years and for several reasons, including overreaching censorship and extreme persecution of dissenters.

[kyonides]

Chinese Hackers Breached the Email of Government Officials
by Cracking a Microsoft Engineer’s Account

The hack occurred in June, but the company just completed an internal investigation that pointed the finger at its own sloppy security practices.

Bloomberg reports that Microsoft has disclosed that China-linked hackers compromised the corporate account of one of its engineers, then used this unauthorized access to steal a digital key in order to forge authentication tokens. These tokens granted them access to email accounts on Microsoft’s cloud servers, including those belonging to Commerce Secretary Gina Raimondo, Representative Don Bacon, and State Department officials.
...
“[Back in June], U.S. government safeguards identified an intrusion in Microsoft’s cloud security, which affected unclassified systems. Officials immediately contacted Microsoft to find the source and vulnerability in their cloud service,” said Adam Hodge, spokesman for the White House National Security Council. He added, “We continue to hold the procurement providers of the U.S. government to a high security threshold.”

The incident has underscored the growing concerns among senior Western intelligence officials about the ability of Chinese hackers to orchestrate stealthy attacks that can evade detection for years.

China, however, has consistently denied hacking U.S. organizations and has accused the U.S. and its allies of targeting Chinese networks. The Chinese embassy in Washington did not respond to requests for comment on the incident.

The U.S. Cybersecurity and Infrastructure Security Agency and Microsoft had initially disclosed the breach in June. However, the exact mechanism by which the hackers were able to steal the key remained unclear until now. Microsoft stated in a blog post that the key was stored improperly in “crash dump” data after a computer or application unexpectedly crashed. This dump was then moved to Microsoft’s production environment where it could be accessed by a compromised account belonging to a Microsoft employee.

Adding to the complexity of the situation, Microsoft admitted that it did not have complete confidence in its assessment of how the key was stolen.