Hunting botnets and Chinese hackers targeting financeNTT Security has released its latest monthly update from its Global Threat Intelligence Center. The report looks at ways to hunt botnets and the targeting of financial institutions by Chinese threat actors. It also gives an update on the partnership with the Cyber Threat Alliance as well as attacks on Joomla and Oracle products.

CMS attacks on the rise

The attack against Joomla has been ongoing since early this year. It centres on a SQL vulnerability in the J2Store, a shopping cart and eCommerce extension for Joomla. What is interesting is that the attacks do not appear to be targeting user data. Instead, it sees them as being reconnaissance attacks against Joomla installations.

This is typical of a pre-attack scenario and one that is often misunderstood. IT security teams often pay too little attention to reconnaissance attacks. When they stop, the feeling is often one of relief. However, that is a mistake as Rob Kraus, Sr Director of Operations for NTT Security’s GTIC team told us.

Rob Kraus, Sr. Director, Global Threat Intelligence Center Operations, NTT Security
Rob Kraus, Sr. Director, Global Threat Intelligence Center Operations, NTT Security

In a podcast looking at the 2019 GTIC report, Kraus said that reconnaissance is often overlooked as just noise. He went on to warn that the absence of reconnaissance should set off warning bells. It often means an attack is imminent rather than attackers have lost interest.

The August GTIC report also calls out an increase in attacks against Drupal during August. 46% of those attacks are down to two recently announced vulnerabilities.

These two warnings sit against a background of increased attacks against WordPress. In all three cases, the attackers are looking to get some form of control over websites. This allows them to install malicious code that attacks visitors to the site.

Tracking and detecting botnets

One of the big challenges for security teams is to identify and assist in the takedown of botnets. There have been a number of high profile successes against botnets over the last year. The most recent of these saw the French C3N Cyber Police disinfect over 850,000 computers that were enrolled in the Retadup botnet.

Kenji Takahashi, VP of Innovation at NTT Security
Kenji Takahashi, VP of Innovation at NTT Security

Kenji Takahashi, VP Innovation, NTT Limited, details how NTT has developed a method to detect and cluster bots. Analysts can use that data: “as basis for further analysis and validation of the entire botnet structure.” In his research, Takahashi shows how NTT Security was able to detect 295 bot clusters from just 408,118 IP addresses. NTT was also able to detect what the bots were configured to do.

By being able to quickly identify potential C&C servers and the associated infrastructure, NTT Security is looking to improve defensive responses. With Gartner and other analysts reporting that the number of Internet devices continues to soar, this is a key battleground for security teams.

Botnet owners delivering resilient infrastructure

Tracking botnet structures is not easy. Recent takedowns have seen botnet owners create resilient infrastructure using multiple C&C servers in different countries. We asked if the use of multiple C&C servers was increasing.

Jon Heimerl, Sr Manager, Threat Intelligence Communication Team at NTT Security
Jon Heimerl, Sr Manager, Threat Intelligence Communication Team at NTT Security

Jon Heimerl, Sr Manager, Threat Intelligence Communication Team at NTT Security told us: “Adding a few more servers probably means many more bots at least greater capacity to support many more bots. The ratio is different by bot and even by server, but it is always a many to one ratio. In most cases, a C&C server would run a single type of botnet, but not every C&C server does.”

When it comes to resilience, there have been reports of cybercriminals using the Dark Web to hide their C&C servers. This raises questions as to how effective the Takahashi botnet tracking would be. Heimerl commented: “Hiding the C&C server on the darkweb can make it harder to complete a takedown. Anything which obscures the end IP address of the C&C server makes it more difficult, whether that is hiding behind a TOR node or hiding behind a VPN.

“The most effective takedown methods involve redirecting traffic for the server (blackholing) or contacting the hosting site to take down the server. If you cant identify the host, you would not know who to block, if you cant find the host, you dont know who to contact. So, yes, hiding the C&C server on the darkweb, or otherwise obscuring their actual virtual location, does make it more difficult to conduct an effective takedown.”

With access to 40% of the global internet traffic via NTT Communications, it will be interesting to see how the approach Takahashi details can evolve.

Is APT41 running a side hustle?

The GTIC report also looks at a change in behaviour from Chinese state-sponsored hacking team APT41. It has been spotted committing financial crimes in addition to its usual attacks. Danika Blessman, Sr Threat Analyst at NTT commented: “This type of behavior is uncharacteristic of Chinese threat actors – especially those that are state-sponsored — as they likely operate under stringent rules and controls, suggesting that these money-raising endeavors may also be state-sanctioned.

Danika Blessman, Sr Threat Analyst at NTT
Danika Blessman, Sr Threat Analyst at NTT

Blessman believes that this shift appears to have been ongoing for some time. It seems that as far back as 2017, APT41 moved away from stealing IP to attacking financial targets. ET asked if this change of behaviour was caused by the trade war between the US and China although we note that Blessman’s research shows it predates the sanctions war.

According to Heimerl: “Realistically, it is probably very likely that the trade war has helped increase tensions between the US and China. It is also likely that disagreements over islands in the South China Sea has helped increase those tensions. Any escalation in tensions can also lead to an increase in hostile cyberactivity we have seen these trends for years among many threat actors.

“Do these tensions lead directly to more financial crime by these threat actors? We suspect that effect is corollary to the increased threat more hacking for nation state intelligence gathering and theft of proprietary information breeds more access to servers which potentially enables more financial crime.”

Blessman also responded to ET saying: “On a side note, I dont think that China really needs any type of financial gain, specifically especially with the amount of IP theyve been able to acquire over the last (at least) 20 years.”

What caused the shift?

Given the rarity of this type of focus shift, ET asked if it was possible that APT41 was really a North Korean group. After all, they have a long history of attacking financial targets and Chinese sponsored groups have provided them with tools and help.

Heimerl says not. He responded: It is probably unlikely that APT41 has been misclassified. It is more likely that APT41 is taking advantage of their access and doing more financial crime as a direct extension of that access kind of like a hey, while we are here, lets do this…” taking advantage of capabilities they have already proven.”

If China is allowing its state sponsored threat actors to target finance, ET wondered how much more dangerous does this make them compared to North Korea and Iran? After all, both of these are already heavily involved in financial attacks as are a number of Russia backed groups.

Heimerl said: “We expect that the response to more tension is more cyberactivity and that the financial crime aspect gets dragged along more than it does dedicated focus. A rise in financial crime from APT41 means all targeted organizations are facing a greater threat of financial crime.

“Does that mean in greater danger than they would be from North Korea or Iran? That is difficult to answer APT41 is an advanced attacker with a proven high level of skill and persistence the bottom line is that if your organization is in their sites, you are in greater danger.”

Blessman agrees with this assessment saying: “Definitely agree on the are they more dangerous than X country that is a big ole it depends depends on geopolitical factors, targeting, an orgs security measures, etc. From a capability perspective, perhaps, but the others are catching up.”

Enterprise Times: What does this mean?

Cooperation between security companies and industry bodies is delivering significant benefits in the fight against cybercriminals. Country after country is introducing its own cyber force for good and for bad. This raises the stakes considerably in terms of the types of attacks.

Law enforcement is likely to be heavily reliant on private companies going forward. The question is how much intelligence will governments share to help detect attacks. As our coverage of Zerodium from yesterday shows, the lines of share and use are very blurry.

We are also unlikely to see any slowdown in attacks against CMS. This puts incredible pressure on administrators who are often not security professionals. It will be interesting to see how the current attacks develop.

The work that NTT Security has done on detecting botnets also plays into the research of state-sponsored threat actors. Will we see states look to create and protect botnets? As the military build-up of cyber warfare continues, this is a very real possibility.

In finance, we need to watch how groups such as APT41 evolve. Is this a one-off or will China take the brakes off other teams? If those teams successfully target US, UK or other countries finance infrastructure, will we see retaliation?


Please enter your comment!
Please enter your name here