Ccleaner compromised10/4/2023 ![]() ![]() More tellingly, clues in Barium's code also connect it to previously known, likely Chinese hacker groups. In its most recent video game supply chain attacks, the hackers' backdoor was designed to activate and reach out to a command-and-control server only if the victim computer wasn't configured to use Simplified Chinese language settings-or, more strangely, Russian. Kaspersky has found Simplified Chinese artifacts in its code, and in one case the group used Google Docs as a command-and-control mechanism, letting slip a clue: The document used a resume template as a placeholder-perhaps in a bid to appear legitimate and prevent Google from deleting it-and that form was written in Chinese with a default phone number that included a country code of +86, indicating mainland China. But researchers note that its hackers seem to speak Chinese, likely live in mainland China, and that the majority of their targets seem to be organizations in Asian countries like Korea, Taiwan, and Japan. Kaspersky eventually determined, and NetSarang confirmed, that the attackers had breached NetSarang's network and planted their malicious code in its product before the application was cryptographically signed, like slipping cyanide into a jar of pills before the tamper-proof seal is applied.Įven as they distinguish themselves as one of the most prolific and aggressive hacker groups active today, Barium's exact identity remains a mystery. More puzzling was that the malicious version of NetSarang's product bore the company's digital signature, its virtually unforgeable stamp of approval. When Kaspersky investigated, it found that the source of that communications was a backdoored version of NetSarang, a popular enterprise remote management tool distributed by a Korean firm. Some sort of malware that didn’t trigger antivirus alerts was beaconing out to a remote server and hiding its communications in the Domain Name System protocol. Kaspersky first spotted the Barium hackers' supply chain attacks in action in July of 2017, when Kamluk says a partner organization asked its researchers to help get to the bottom of strange activity on its network. The technique disturbs security researchers not only because it demonstrates Barium's ability to disrupt computers on a vast scale but also because it exploits vulnerabilities in the most basic trust model governing the code users run on their machines. Their attacks all follow a similar pattern: Seed out infections to a massive collection of victims, then sort through them to find espionage targets. More than perhaps any other known hacker team, Barium appears to use supply chain attacks as their core tool. ![]() They're known as Barium, or sometimes ShadowHammer, ShadowPad, or Wicked Panda, depending on which security firm you ask. Over the past three years, supply chain attacks that exploited the software distribution channels of at least six different companies have now all been tied to a single group of likely Chinese-speaking hackers. Now what appears to be a single group of hackers has managed that trick repeatedly, going on a devastating supply chain hacking spree-and becoming more advanced and stealthy as they go. By breaking into a developer's network and hiding malicious code within apps and software updates that users trust, supply chain hijackers can smuggle their malware onto hundreds of thousands-or millions-of computers in a single operation, without the slightest sign of foul play. A software supply chain attack represents one of the most insidious forms of hacking. ![]()
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |