It has been corroborated that there is a large volume of scanning being carried out by Chinese hacker groups, likely acting at the behest of Chinese APT groups in tandem with entities of the Lazarus Group.
TargetsSpecific companies are likely being targeted due to the following reasons:
- They are currently using hardware or software with known vulnerabilities which can be exploited.
- They are using Chinese equipment/ components which have backdoors, or hacker groups/ APTs have been able to maintain persistence on them.
- These companies represent an Indian identity.
Attack VectorsDDOS attacks are less likely due to DDOS scrubbers integrated at ISPs. So, Phishing or Spear Phishing seems to be a more probable attack vector.
Preventive MeasuresIn light of the above, companies are advised to:
- Carry out fresh Vulnerability Assessment/Penetration Testing (VA/PT) of their infrastructure.
- Negate vulnerabilities/ backdoors present in their infrastructure. CISOs are advised to carry out an audit of equipment/ components used against known vulnerabilities and patch/ find remediation.
- Monitor network traffic for flags such as unknown IPs, increased traffic, unauthorized access etc.
- Use updated anti-virus and ensure your current vendor has coverage for these hashes.
- Check the IP category in their Firewall for blocking the suspicious IPs (Complete list).
- Check the Domains category in Proxy, to ensure the suspicious domains (Complete list) are categorized as malicious.
- Search for existing signs of the IOCs (Complete list) in their environment and email systems.
- Perform China Geo-based blocking if there is no business with China.
- Monitor the emails that are received from IDs similar to: "email@example.com*
- Facilitate immediate education/ re-education for all staff to protect against phishing/ spear-phishing attacks.
- Warn employees against:
- Opening or clicking on attachments in unsolicited emails, SMS or messages through Social Media.
- Opening attachments, even if the sender appears to be known
- Unfamiliar e-mail addresses and emails and websites that contain spelling and grammatical errors.
- Submitting personal financial details on unfamiliar or unknown websites / links.
- E-mails or links providing special offers like COVID-19 testing, financial aid, prizes, rewards, cashback offers, etc.
- Providing login credentials or clicking a link without checking the integrity of URLs.
- Instruct employees to use:
- Safe Browsing tools
- Filtering tools (antivirus and content-based filtering) in antivirus, firewall, and filtering services.
- Update spam filters with latest spam mail contents.
- Leverage Pretty Good Privacy in mail communications.
- Encrypt/ protect sensitive documents stored in the internet facing machines to avoid potential leakage.
- Immediately report any unusual activity or attack to firstname.lastname@example.org, along with the relevant logs and email headers, for the analysis of the attacks, and take further appropriate actions.
Indicator of Compromise (IoC) to be on the lookout for
IP AddressesThe following IP ranges have been suspected of targeting Indian infrastructure and need to be blocked on respective firewalls. In case the IP range is in use or likely to cause business disruption, constant Network Traffic Analysis (NTA) should be carried out to detect, flag, and obviate suspicious activity.