Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9/9/2019
01:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Public Exposure Does Little to Slow China-Based Thrip APT

Over the past year, the cyber-espionage group has attacked at least 12 other companies in the military, telecom, and satellite sectors, Symantec says.

China-based advanced persistent threat group (APT) Thrip continues to pose a major threat to organizations in the satellite, telecommunications, and military sectors in Southeast Asia more than a year after Symantec first exposed its activities.

Far from being deterred by the exposure, the group has continued its attacks unabated on companies in the region. Since June 2018, Thrip has attacked at least 12 high-level targets in multiple countries, including Hong Kong, Indonesia, Malaysia, and the Philippines, Symantec said in an update on Thrip's activities this week.

Thrip, which is known for leveraging legitimate tools such as PsExec, PowerShell, and LogMeIn in its attacks, also has added more custom weapons to its arsenal. According to Symantec, the Chinese group recently began using a previously unseen backdoor called Hannotog to try and gain persistent remote access on compromised systems. Hannotog takes advantage of the built-in Windows Management Instrumentation (WMI) component in Windows as part of its execution on victim networks.

Thrip also is using Sagerunex, another backdoor, recent attacks, suggesting a strong link between Thrip and Billbug Group (aka Lotus Blossom), a well-known Chinese cyber-espionage group that has been operating since at least early 2009. Sagerunex appears to be a more evolved version of malware dubbed Evora, which Billbug has been known to use. Based on this and other available telemetry it appears Thrip is a subgroup of Billbug, Symantec said.

For organizations on its radar, Thrip presents a clear and present danger, says Vikram Thakur, technical director at Symantec.

"Attackers will continue to target organizations regardless of public exposure of their campaigns and tools," he says. "[Organizations] in targeted market segments should take note of the techniques leveraged by Thrip and ensure they have appropriate tools to both instrument and respond in case the attacker turns their way." 

One complicating factor is Thrip's heavy use of legitimate and dual-use tools for lateral movement, credential theft malware execution, and other malicious activities. By hiding its attack traffic in a sea of legitimate traffic, the group — like a growing number of other threat actors — has made it much harder for organizations to stop them using typical antimalware and theft detection tools.

Beyond Cyber Espionage?
Thrip's main motive continues to be cyber espionage, Thakur says. But in at least a few of its attacks, the group appears to have gained a dangerous level of access to operational systems.

In one attack on a satellite communications provider that Symantec investigated last year, Thrip actors seemed particularly interested in infecting computers that monitored and controlled satellites. In another attack involving a Southeast Asian geospatial imaging and mapping company, Thrip once again went after operational systems. That time, the group attacked systems using for critical application development tasks and those running imaging software and Google Earth Server.

Thakur says Symantec is not sure what exactly the attackers would have been able to do with their access to these systems. "Our visibility stops at attackers being able to get onto machines," he notes.

Data from attacks on at least three other communications firms in Southeast Asia suggested Thrip was primarily targeting the companies themselves and not their customers, Symantec said.

For the moment, at least, Thrip appears solely focused on organizations in Southeast Asia. But there's no telling when that might change. "While we don't have any evidence of US targeting in the past year of Thrip's activity, this can change at any moment," Thakur warns. "We always urge peers within targeted verticals to take note of ongoing attacks and bolster their own defenses in the event the attackers change targeting."  

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Phishers' Latest Tricks for Reeling in New Victims."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
AI Is Everywhere, but Don't Ignore the Basics
Howie Xu, Vice President of AI and Machine Learning at Zscaler,  9/10/2019
Fed Kaspersky Ban Made Permanent by New Rules
Dark Reading Staff 9/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-4147
PUBLISHED: 2019-09-16
IBM Sterling File Gateway 2.2.0.0 through 6.0.1.0 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 158413.
CVE-2019-5481
PUBLISHED: 2019-09-16
Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.
CVE-2019-5482
PUBLISHED: 2019-09-16
Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.
CVE-2019-15741
PUBLISHED: 2019-09-16
An issue was discovered in GitLab Omnibus 7.4 through 12.2.1. An unsafe interaction with logrotate could result in a privilege escalation
CVE-2019-16370
PUBLISHED: 2019-09-16
The PGP signing plugin in Gradle before 6.0 relies on the SHA-1 algorithm, which might allow an attacker to replace an artifact with a different one that has the same SHA-1 message digest, a related issue to CVE-2005-4900.