Posted on April 8, 2020 at 10:35 AM
Chinese Hacking Crew Exploited Linux Servers for Many Years
According to reports from security researchers at Blackberry, there has been a hacking campaign going on against vulnerable open-source servers for almost ten years. The hackers have been operating successfully throughout these periods until they were discovered recently.
The campaign is linked to China
The researchers said the hackers are likely from China, as they have been exploiting Linux Server vulnerabilities without being noticed for several years now.
They said the hacking syndicates, who are sponsored by the Chinese government, are carrying out cyber espionage against different industries in different countries. The purpose is for data collection and intellectual property theft.
Groups exploiting vulnerabilities since 2012
Although the expansive campaign of the group is on multi-platform, the researchers recently uncovered part of the group that exploits Linux vulnerabilities since 2012. Since then, the attackers have not updated their operational methods, the researchers report.
Blackberry’s chief product architect, Eric Cornelius, said although the attack was recently discovered, this hacking syndicate has been operational for many years. According to him, “A lot of these tool-sets go back to 2012 and 2013 which is a ridiculous amount of time for an adversary.”
Hackers took advantage of stumpy security check
A rational explanation of why this has gone under the radar for many years is the fact that security firms do not concentrate much on Linux since it’s not a user-friendly platform.
As a result, the hackers have taken advantage of the security expressway they got to steal intellectual property from several servers for many years.
Cornelius said it’s important to have the servers up and running at all times, so the attackers decided it was best to use a pervasive tool on a machine that will be turned on at all times.
The Blackberry researchers reiterated that the attacking syndicates scanned for Red Hat Enterprise, Ubuntu and CentOS environments across different industries, and attempted to identify vulnerable servers. Afterward, they decided to set up persistence on the servers using malware.
Apart from having access to sensitive data and information, the attackers were able to infect the servers themselves. They also created a backdoor on the servers, allowing them to freely attack whenever they desire, as long as no one discovers the vulnerability.
And when the servers are compromised, it will be easier to infiltrate the data, with the transfer from command-and-control servers seen as web traffic, according to the Blackberry researchers.
Attackers were being careful to avoid detection
These attackers did not try to hack into the servers, but they were penetrating the systems gently and step-by-step to avoid any detection from any security firm. That is why they were able to keep the campaign operational for this long.
If they’ve been ransoming or encrypting these machines, they would have been caught and responses will follow. However, since there wasn’t any damage to the systems and servers, the attackers were able to prevent any suspect.
According to Cornelius, this act shows that they were prepared with sophisticated tools to keep operating for many years.
How researchers discovered the breach
When bad actors are very careful to cover their tracks, they could mistakenly leave behind some clues that will fetch them out. Throughout their operations over the years, these hackers left little that can get them caught, but it seemed the little they left behind was enough for the Blackberry researchers.
Blackberry said these hackers, while using their tools, got a bit sloppy in their operation, leaving a gap that allowed the researchers to detect them. The lack of operational security allowed Blackberry to correlate a relationship linking the attackers to the operation.
Blackberry’s research lined the hacking campaign to Winnti, a Chinese hacking syndicate that operates across different groups. The syndicate makes use of civilian contractors for government-backed hacking operations.
Avoiding falling victim
Cornelius said it’s likely that the hackers are still operational. But the best way to stay protected is to make sure operating systems and servers are updated so that they can’t take advantage of old vulnerabilities. He said users need to secure protection in multiple fronts like Macs, Linux, Mobile, and Windows if they want to avoid being victims of cyberattacks.