Operation CuckooBees uncovered the state-sponsored group's sophisticated new tactics in a years-long campaign that hit more than 30 tech and manufacturing companies.

China's Winnti cyberthreat group has been quietly stealing immense stores of intellectual property and other sensitive data from manufacturing and technology companies in North America and Asia for years.

That's according to researchers from Cybereason, who estimate that the group has so far stolen hundreds of gigabytes of data from more than 30 global organizations since the cyber-espionage campaign began. Trade secrets are a big part of that, they said, including blueprints, formulas, diagrams, proprietary manufacturing documents, and other business-sensitive information.

In addition, the attackers have harvested details about a target organization's network architecture, user accounts, credentials, customer data, and business units that they could leverage in future attacks, Cybereason says in reports summarizing its investigation this week.

The security vendor said it has shared its findings with the FBI, which back in 2019 had warned of China-based cyberthreat groups engaged in the massive theft of intellectual property from US firms to support the country's "Made in China 2025" modernization initiative.

"Global manufacturers are targets of Chinese state-sponsored threat groups," says Assaf Dahan, senior director and head of threat research at Cybereason. "Our research highlights the importance of protecting Internet-facing assets, early detection of scanning activity and exploitation attempts, the ability to detect web shell activity, persistence, reconnaissance attempts by legitimate Windows tools, credential dumping, and lateral movement attempts."

Darren Williams, CEO, and founder at BlackFog, says the campaign that Cybereason observed highlights a recent trend involving data theft by cybergangs operating out of China. He says that new research that BlackFog recently conducted found that 20% of all ransomware attacks exfiltrate data to China. There's also been a dramatic rise in attacks targeting the technology, manufacturing, and government sectors, he says

“We think its related to the increasing pressure from multiple nations on the manufacturing industry generally and the shift in reliance from Chinese manufacturing," he says. "Then when you look at trade wars China has with countries like Australia, there is a general market shift happening. We think these attacks are in response and even retaliation for many of these moves.”

**Winnti Stung by CuckooBees**  
Winnti (aka APT41, Wicked Panda, or Barium) is a threat group that has been active since at least 2010. The group is believed to be working on behalf of, or with the support of, the Chinese government. Some security vendors have described Winnti as an umbrella group comprised of multiple threat actors operating under the control of China's state intelligence agencies. The group has been linked to attacks in 2010 on scores of US firms (including Google and Yahoo). And in 2020, the US government indicted five members of the threat group, although the action did little to stop its activities.

Researchers from Cybereason stumbled upon the threat group's latest campaign when investigating a 2021 intrusion at a $5 billion global manufacturing company with operations in Asia, North America, and Europe, Dahan says, and has been gathering evidence on the activity since then.

The researchers dubbed the investigation "Operation CuckooBees," because cuckoo bees are very evasive, and the Winnti group is one of the most elusive hacking groups, Dahan explains.

"Operation CuckooBees was a 12-month investigation focused on Winnti Group's global espionage campaign against defense, aerospace, energy, biotech, and pharmaceutical manufacturers," Dahan says.

**New Tools, Rare Abuse of Windows CLFS Mechanism**  
Cybereason's investigation also revealed fresh aspects of the group's technical approach, including the development of new malware tools — or new versions of its old malware — and sophisticated new techniques for payload delivery and evasion.

The new tools include one called DeployLog, made for deploying the threat group's namesake Winnti kernel-level rootkit. New versions of tools it has used in the past include an initial payload called Spyder Loader; a privilege-escalation tool called PrivateLog; and a tool called StashLog for storing payloads in a hard-to-crack Windows function.

One notable aspect of Winnti group's new campaign, according to Cybereason, is the threat actor's use of a Windows high-performance logging feature called Common Log File System (CLFS) to hide malicious payloads.

"The CLFS mechanism is rather obscure and is still undocumented by Microsoft," Dahan notes. "The attackers used the CLFS mechanism to hide their payloads in a place most security products or practitioners wouldn’t look for." He adds that the ability to abuse the mechanism points to the level of sophistication and resources that the threat actors have at their disposal.

"It requires a lot of effort to reverse-engineer this mechanism to abuse it for nefarious purposes," he says.

Dahan says Cybereason has not observed any other threat group abuse the CLFS mechanism to stash payloads in the same manner.

**The Evolving Winnti Attack Chain**  
In its latest campaign, Winnti group threat actors targeted vulnerable Internet-facing servers as a vector for gaining an initial foothold on a target network. In some instances, the attackers gained initial entry on systems by exploiting known vulnerabilities in enterprise resource planning (ERP) platforms.

"To the best of our knowledge, the vulnerabilities that were exploited in the observed attacks have fixes that were issued by the vendor," Dahan says.

Once in, Cybereason observed the attackers adopting what it described as a "house-of-cards" approach to deploying its malicious payloads, where each component of the attack chain depended on the previous one and the other components to function properly. This made it difficult to analyze each malware component in the attack chain separately.

"If for some reason, one component is missing or gets detected – the entire thing would fall apart," Dahan says.

The approach also added another layer of protection and stealth because each of the components in the attack chain is not entirely malicious on its own, and so would be unlikely to be flagged as malicious by security products, Dahan says. To become malicious, the components in the attack chain must be assembled in a certain order.

"The ‘house of cards’ approach makes it difficult for security researchers to analyze the payload and the flow of the attack," he explains. "You really have to see the entire attack and collect all the payloads and know how to run them in the exact order in which they were designed to run."

China-Backed Winnti APT Siphons Reams of US Trade Secrets in Sprawling Cyber-Espionage Attack

Microsoft's stand-alone version of Defender for SMBs promises to help SecOps teams automate detection, response, and recovery.

Microsoft has released a stand-alone version of Defender for Business for small-to-midsize businesses (SMBs), which the company says will provide endpoint security on par with that of a large enterprise. 

A Microsoft survey found that 70% of SMBs are worried about the business risk that cybersecurity poses, and while 80% of SMBs said they have antivirus protection, 93%  still have concerns about cybersecurity threats. 

Microsoft said Defender for Business can help automate the protection, detection, and response tasks that can bog down SecOps 

"Automated investigation and remediation are a huge part of the product," Adam Atwell, cloud solutions architect at consulting firm Kite Technology Group, said in a statement. "It's just happening in the background. Defender for Business makes our security so simple."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Microsoft Releases Defender for SMBs

In H3C MagicR100 <=V100R005, the / Ajax / ajaxget interface can be accessed without authorization. It sends a large amount of data through ajaxmsg to carry out DOS attack.

CVE-2022-28940: 0day/新华三magicR100存在DOS攻击漏洞分析.md at main · zhefox/0day

In nopCommerce 4.50.1, an open redirect vulnerability can be triggered by luring a user to authenticate to a nopCommerce page by clicking on a crafted link.

**12 years of experience**

On the eCommerce market

**60,000+ live shops**

From SMB to Enterprise  
10,000+ new stores every year

**150+ partners**

From 40+ countries

**1,500+ integrations**

Plugins, themes, language packs

**250,000+ members**

Community worldwide

**3,000,000+ downloads**

And the number is still growing

**For every size and type of business**

**Small and medium business**

Quickly launch and scale your online store with rich built-in functionality: integration with payment and shipment services; warehouse managing; marketing and SEO tools; and mobile-friendly stores.

**Enterprise business**

Use multi-vendor and multi-store functionality (B2B and B2C). Get the maximum advantage of enterprise-grade performance. Easy integration and limitless customization opportunities.

**Global business**

A flexible system to fit your demands: GDPR; multi-currencies and multi-languages; regional taxes and laws support; management of multiple international stores; integration with local services and suppliers.

**Why nopCommerce**

**Absolutely free**

No transaction fee.  
No monthly fees.  
No hidden fees.

**PCI DSS compliant**

Meet all security requirements for all kinds of businesses

**Unlimited customization**

You’re not limited by our built-in functionality because we’re open-source

**Great Support**

Our team and our community is always here to help you

**Testimonials**

If you are a .NET developer looking for an eCommerce platform you should consider nopCommerce. It is both a great extensible eCommerce platform and supports the latest versions of .NET

Scott Hunter,  
Director of Program Management for the .NET Platform at Microsoft (USA)

nopCommerce is a fantastic open-source, stable, and super extensible eCommerce platform based on cross-platform .NET Core! It's perfect for any size business.

Scott Hanselman,  
Principal Community Architect, Microsoft (USA)

Besides having a rich out-of-the-box functionality, the platform is also flexible in terms of additional customization and gives an opportunity to integrate with different corporate systems, which made it a perfect fit for us.

Boris Kulaev,  
Head of eCommerce Harman RUS CIS

Read case study

With nopCommerce we are able to create the optimal eCommerce system according to our customer’s needs. The modern and sophisticated backend of nopCommerce allows fast and simple configuration of the shop.

José Lopez,  
CEO of JMC Software AG (Switzerland)

Play case study

We like nopCommerce because it’s a platform with a very well-structured architecture that enables its modification greatly since it’s open-source. nopCommerce can be easily adapted to cover the needs of every one of our customers.

Eduardo Adame,  
General Director of Tecnofin (Mexico)

Play case study

As a platform, nopCommerce supports us very well because the architecture is very good. We needed a secure, Microsoft-compatible solution for a customer that was multi-store capable and nopCommerce fitted this description best.

Tobias Derucki,  
Managing Partner at Innovapps (Germany)

View the testimonial

I would recommend nopCommerce because it has an easy-to-use interface and you don’t have to be an IT-master to use it. You can be a marketing professional, create the content, manage the pricing and categories, and do it very easy.

Dana Koman,  
Marketing Manager of TACO Metals (USA)

View the testimonial

**Our clients**

*   
*   
*   
*   
*   
*   
*   
*   

**Integrated with all services**

**Create a successful store with nopCommerce!**

CVE-2022-27461: Free and open-source eCommerce platform. ASP.NET based shopping cart.

An incorrect access control issue in Sandboxie Classic v5.55.13 allows attackers to cause a Denial of Service (DoS) in the Sandbox via a crafted executable.

**What happened?**

The details of this bug have been sent to @DavidXanatos by email on March 21. This issue only serves to track the fixing (that is, if this is confirmed to be a real bug) progress publicly.

In short, I've found a bug in Sandboxie that presumably lets an attacker break out of the sandbox. This has yet to be confirmed by the developers, though.

**To Reproduce**

Described in the email.

**Expected behavior**

Sandboxed programs should not be allowed to escape.

**What is your Windows edition and version?**

Windows 10 Home 20H2 (19042.1466) 64-bit

**In which Windows account you have this problem?**

A local or Microsoft account without special changes.

**Please mention any installed security software**

Built-in realtime protection in Windows 10

**What version of Sandboxie are you running?**

Sandboxie Classic v5.55.13 64-bit

**Is it a regression?**

_No response_

**List of affected browsers**

_No response_

**In which sandbox type you have this problem?**

I only reproduced it with Sandboxie Classic.

**Is the sandboxed program also installed outside the sandbox?**

No, it is not installed in the real system.

**Can you reproduce this problem on an empty sandbox?**

I can confirm it also on an empty sandbox.

**Did you previously enable some security policy settings outside Sandboxie?**

_No response_

**Crash dump**

_No response_

**Trace log**

_No response_

**Sandboxie.ini configuration**

_No response_

**Sandboxie-Plus.ini configuration (for Plus interface issues)**

_No response_

CVE-2022-28067: Sandbox breakout bug (details omitted) · Issue #1714 · sandboxie-plus/Sandboxie

Also adds support for Google Cloud Platform (GCP) and Microsoft Azure, and PCI compliance coverage.

WALTHAM, Mass. , May 4, 2022 /PRNewswire/ -- Uptycs, provider of the first cloud-native security analytics platform enabling cloud and endpoint security from a common solution, announced today new cloud infrastructure entitlement management (CIEM) capabilities that strengthen its cloud security posture management (CSPM) offering. In addition, Uptycs announced CSPM support for Google Cloud Platform (GCP) and Microsoft Azure, and PCI compliance coverage. These new capabilities provide Security and Governance, Risk, and Compliance teams with continuous monitoring of cloud services, identities, and entitlements so they can better reduce their cloud risk.

"Disparate cloud security solutions only deliver pieces of the picture, leaving Security teams unaware of new risks in a fast-changing cloud environment," says Ganesh Pai, CEO and co-founder of Uptycs. "As organizations scale out their cloud footprints—including across multiple public cloud providers—they need new types of security controls, especially in the realm of cloud identity and entitlement. Uptycs provides a unified platform for CSPM and CWPP that gives Security teams a holistic and fully integrated platform for securing their cloud resources, workloads, and infrastructure."

As they add cloud accounts, resources, and infrastructure, the number of user and machine identities grows exponentially. The majority of these identities have more access than they need to do their jobs, posing a serious risk if an attacker is able to steal credentials. According to Gartner, more than 95% of accounts in IaaS use, on average, less than 3% of the entitlements they are granted.1 In addition, Gartner estimates that "by 2023, 75% of security failures will result from inadequate management of identities, access and privileges, up from 50% in 2020."2

With new cloud identity and entitlement analytics capabilities in Uptycs, Security and Governance teams can solve these challenges:

*   **Monitor least privilege -** Continuously monitoring cloud infrastructure to spot identity misconfiguration and permissions gaps so they can move toward least-privilege access, minimizing the damage that can be caused by privilege escalation.
*   **Measure identity risk and governance posture -** Measuring the overall identity risk posture for cloud accounts based on factors such as root account configuration, credentials rotation, possibility of privilege escalation, and credential exposure.
*   **Harden cloud IAM policies -** Continuously analyzing cloud IAM policies and creating risk profiles so that teams can prioritize their efforts on tuning the most risky policies.
*   **Map identities and relationships -** Visually map relationships across accounts, rank connections based on riskiness, and show the impact a user can have on an asset or critical service.
*   **Detect and investigate identity misuse -** Show top cloud IAM principals and services denied based on specific time windows, enabling users to drill down into trends for a specific user/service and spot any anomalies from the regions based on historical data.

The cloud identity and entitlement analytics capabilities are generally available today for AWS as an add-on for the Uptycs CSPM offering. Uptycs' broader CSPM support for GCP and Azure (inventory, audit, compliance, and threat detection) is generally available.

1 Gartner, "Managing Privileged Access in Cloud Infrastructure," Paul Mezzera, December 7, 2021

2 Gartner, "Innovation Insight for Cloud Infrastructure Entitlement Management, Henrique Teixeira, Michael Kelley, Abhyuday Data, June 15, 2021

**About Uptycs  
**Uptycs provides the first cloud-native security analytics platform that enables endpoint and cloud security from a single platform. The solution provides a unique telemetry-powered approach to address multiple use cases—including Extended Detection & Response (XDR), Cloud Workload Protection (CWPP), and Cloud Security Posture Management (CSPM). Uptycs enables security professionals to quickly prioritize, investigate, and respond to potential threats across a company's entire attack surface. A free trial of Uptycs can be requested at www.uptycs.com/free-trial.

Uptycs Announces New Cloud Identity and Entitlement Management (CIEM) Capabilities

A growing number of threat actors are using the ongoing Russo-Ukrainian war as a lure in various phishing and malware campaigns, even as critical infrastructure entities continue to be heavily targeted.
"Government-backed actors from China, Iran, North Korea and Russia, as well as various unattributed groups, have used various Ukraine war-related themes in an effort to get targets to open

A growing number of threat actors are using the ongoing Russo-Ukrainian war as a lure in various phishing and malware campaigns, even as critical infrastructure entities continue to be heavily targeted.

"Government-backed actors from China, Iran, North Korea and Russia, as well as various unattributed groups, have used various Ukraine war-related themes in an effort to get targets to open malicious emails or click malicious links," Google Threat Analysis Group's (TAG) Billy Leonard said in a report.

"Financially motivated and criminal actors are also using current events as a means for targeting users," Leonard added.

One notable threat actor is Curious Gorge, which TAG has attributed to China People's Liberation Army Strategic Support Force (PLA SSF) and has been observed striking government, military, logistics and manufacturing organizations in Ukraine, Russia and Central Asia.

Attacks aimed at Russia have singled out several governmental entities, such as the Ministry of Foreign Affairs, with additional compromises impacting Russian defense contractors and manufacturers as well as an unnamed logistics company.

The findings follow disclosures that a China-linked government-sponsored threat actor known as Mustang Panda (aka Bronze President) may have been targeting Russian government officials with an updated version of a remote access trojan called PlugX.

Another set of phishing attacks involved APT28 (aka Fancy Bear) hackers targeting Ukrainian users with a .NET malware that's capable of stealing cookies and passwords from Chrome, Edge and Firefox browsers.

Also implicated were Russia-based threat groups, including Turla (aka Venomous Bear) and COLDRIVER (aka Calisto), as well as a Belarusian hacking crew named Ghostwriter in different credential phishing campaigns targeting defense and cybersecurity organizations in the Baltic region and high-risk individuals in Ukraine.

Ghostwriter's latest attacks directed victims to compromised websites, from where the users were sent to an attacker-controlled web page to harvest their credentials.

In an unrelated phishing campaign targeting entities in Eastern European countries, a previously unknown and financially motivated hacking group has been spotted impersonating a Russian agency to deploy a JavaScript backdoor called DarkWatchman onto infected computers.

IBM Security X-Force connected the intrusions to a threat cluster it's tracking under the moniker Hive0117.

"The campaign masquerades as official communications from the Russian Government's Federal Bailiffs Service, the Russian-language emails are addressed to users in Lithuania, Estonia, and Russia in the Telecommunications, Electronic and Industrial sectors," the company said.

The findings come as Microsoft divulged that six different Russia-aligned actors launched at least 237 cyberattacks against Ukraine from February 23 to April 8, including 38 discrete destructive attacks that irrevocably destroyed files in hundreds of systems across dozens of organizations in the country.

The geopolitical tensions and the ensuing military invasion of Ukraine have also fueled an escalation in data wiper attacks intended to cripple mission critical processes and destroy forensic evidence.

What's more, the Computer Emergency Response Team of Ukraine (CERT-UA) revealed details of ongoing distributed denial-of-service (DDoS) attacks directed against government and news portals by injecting malicious JavaScript (dubbed "BrownFlood") into the compromised sites.

DDoS attacks have been reported beyond Ukraine as well. Last week, Romania's National Directorate of Cyber ​​Security (DNSC) disclosed that several websites belonging to public and private institutions were "targeted by attackers who aimed to make these online services unavailable."

The attacks, claimed by a pro-Russian collective called Killnet, come in response to Romania's decision to support Ukraine in the military conflict with Russia.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Ukraine War Themed Files Become the Lure of Choice for a Wide Range of Hackers

Permissions were not properly verified in the API on projects using version control in Git. This allowed projects to be modified by users with only ProjectView permissions.

Summary

Broken access control in API for projects using Git VCS (CVE-2022-1502)

Advisory Number

2022-03

Discovery Date

26 APR 2022

Patch Release Date

28 APR 2022

Advisory Release Date

04 MAY 2022

Product

Octopus Server

Operating System

Linux and Microsoft Windows

Severity

Medium

CVE ID

CVE-2022-1502

Customers who have downloaded and installed any of the Octopus Server versions listed below ("Details") are affected.

Please upgrade your Octopus Server immediately to fix this vulnerability.

Customers who have upgraded Octopus Server to version 2022.1.2454 or higher are not affected.

**Severity**

Octopus Deploy has given this vulnerability a medium rating. This rating was given according to the Octopus Deploy severity levels, which ranks vulnerabilities as critical, high, medium, or low severity.

This is our assessment and you should evaluate its applicability to your own environment.

**Details**

Permissions were not properly verified in the API on projects using version control in Git. This allowed projects to be modified by users with only ProjectView permissions.

The versions of Octopus Server affected by this vulnerability are:

*   All 2021.3.x versions before 2021.3.12725
*   All 2022.1.x versions before 2022.1.2454

**Fix**

To address this vulnerability, we have released Octopus Server versions:

*   2021.3.12725
*   2022.1.2454

The latest versions of Octopus Deploy products can be downloaded from https://octopus.com/downloads and previous versions can be downloaded from https://octopus.com/downloads/previous

**What You Need to Do**

Octopus Deploy recommends that you upgrade to the latest versions 2022.1.2454. You can download the latest version of Octopus Server from https://octopus.com/downloads

**Mitigation**

There is no known mitigation for CVE-2022-1502, it is important to upgrade to a fixed version as soon as possible.

**Support**

If you have any questions or concerns regarding this advisory, please contact our support team https://octopus.com/support.

**Exploitation and Public Announcements**

The Octopus Deploy security team is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.

**Source**

This vulnerability was found during internal testing at Octopus Deploy.

CVE-2022-1502: Security Advisory 2022-03

Summary

Broken access control in API for projects using Git VCS (CVE-2022-1502)

Advisory Number

2022-03

Discovery Date

26 APR 2022

Patch Release Date

28 APR 2022

Advisory Release Date

04 MAR 2022

Product

Octopus Server

Operating System

Linux and Microsoft Windows

Severity

Medium

CVE ID

CVE-2022-1502

Customers who have downloaded and installed any of the Octopus Server versions listed below ("Details") are affected.

Please upgrade your Octopus Server immediately to fix this vulnerability.

Customers who have upgraded Octopus Server to version 2022.1.2454 or higher are not affected.

**Severity**

Octopus Deploy has given this vulnerability a medium rating. This rating was given according to the Octopus Deploy security levels, which ranks vulnerabilities as critical, high, medium, or low severity.

This is our assessment and you should evaluate its applicability to your own environment.

**Details**

Permissions were not properly verified in the API on projects using version control in Git. This allowed projects to be modified by users with only ProjectView permissions.

The versions of Octopus Server affected by this vulnerability are:

*   All 2021.3.x versions before 2021.3.12725
*   All 2022.1.x versions before 2022.1.2454

**Fix**

To address this vulnerability, we have released Octopus Server versions:

*   2021.3.12725
*   2022.1.2454

The latest versions of Octopus Deploy products can be downloaded from https://octopus.com/downloads and previous versions can be downloaded from https://octopus.com/downloads/previous

**What You Need to Do**

Octopus Deploy recommends that you upgrade to the latest versions 2022.1.2454. You can download the latest version of Octopus Server from https://octopus.com/downloads

**Mitigation**

There is no known mitigation for CVE-2022-1502, it is important to upgrade to a fixed version as soon as possible.

**Support**

If you have any questions or concerns regarding this advisory, please contact our support team (https://octopus.com/support).

**Exploitation and Public Announcements**

The Octopus Deploy security team is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.

**Source**

This vulnerability was found during internal testing at Octopus Deploy.

Tag

#microsoft