Advisory on Increased Traffic from Chinese Hackers

Chinese hacker groups and APT groups adhere to phishing, spear-phishing attack vectors against Indian companies, to carry out large volumes of scanning.

Share this Intel:

It has been corroborated that there is a large volume of scanning being carried out by Chinese hacker groups, likely acting at the behest of Chinese APT groups in tandem with entities of the Lazarus Group.

 

Targets

Specific companies are likely being targeted due to the following reasons:

  • They are currently using hardware or software with known vulnerabilities which can be exploited.
  • They are using Chinese equipment/ components which have backdoors, or hacker groups/ APTs have been able to maintain persistence on them.
  • These companies represent an Indian identity. 

 

Attack Vectors

DDOS attacks are less likely due to DDOS scrubbers integrated at ISPs. So, Phishing or Spear Phishing seems to be a more probable attack vector.

 

Preventive Measures

In light of the above, companies are advised to:

  • Carry out fresh Vulnerability Assessment/Penetration Testing (VA/PT) of their infrastructure.
  • Negate vulnerabilities/ backdoors present in their infrastructure. CISOs are advised to carry out an audit of equipment/ components used against known vulnerabilities and patch/ find remediation.
  • Monitor network traffic for flags such as unknown IPs, increased traffic, unauthorized access etc. 
  • Use updated anti-virus and ensure your current vendor has coverage for these hashes.
  • Check the IP category in their Firewall for blocking the suspicious IPs (Complete list).
  • Check the Domains category in Proxy, to ensure the suspicious domains (Complete list) are categorized as malicious.
  • Search for existing signs of the IOCs (Complete list) in their environment and email systems.
  • Perform China Geo-based blocking if there is no business with China.
  • Monitor the emails that are received from IDs similar to: “[email protected]*
  • Facilitate immediate education/ re-education for all staff to protect against phishing/ spear-phishing attacks. 
  • Warn employees against:
    • Opening or clicking on attachments in unsolicited emails, SMS or messages through Social Media. 
    • Opening attachments, even if the sender appears to be known
    • Unfamiliar e-mail addresses and emails and websites that contain spelling and grammatical errors. 
    • Submitting personal financial details on unfamiliar or unknown websites / links. 
    • E-mails or links providing special offers like COVID-19 testing, financial aid, prizes, rewards, cashback offers, etc. 
    • Providing login credentials or clicking a link without checking the integrity of URLs. 
  • Instruct employees to use:
    • Safe Browsing tools
    • Filtering tools (antivirus and content-based filtering) in antivirus, firewall, and filtering services. 
    • Update spam filters with latest spam mail contents. 
    • Leverage Pretty Good Privacy in mail communications. 
    • Encrypt/ protect sensitive documents stored in the internet facing machines to avoid potential leakage. 
  • Immediately report any unusual activity or attack to [email protected], along with the relevant logs and email headers, for the analysis of the attacks, and take further appropriate actions. 

 

Indicator of Compromise (IoC) to be on the lookout for

IP Addresses

The following IP ranges have been suspected of targeting Indian infrastructure and need to be blocked on respective firewalls. In case the IP range is in use or likely to cause business disruption, constant Network Traffic Analysis (NTA) should be carried out to detect, flag, and obviate suspicious activity.

49.85.84.0/24 61.111.20.129/32 62.217.245.69/32
109.166.202.229/32 172.217.37.3/32 177.8.217.2/32
18.231.105.181/32 183.192.201.12/32 187.93.134.179/32
191.5.217.90/32 200.7.120.241/32 61.220.8.0/22
162.158.0.0/16 162.158.128.0/17 172.0.0.0/8
180.122.83.0/24 47.110.46.0/24 61.191.84.0/24
139.219.10.0/24 103.45.251.0/24 123.207.98.0/24
222.133.169.0/24 222.133.164.0/24 117.158.65.0/24
60.31.213.0/24 117.65.81.0/24 114.233.8.0/24
183.196.97.0/24 47.240.73.77 114.67.110.37

 

Hashes

Hash
Algorithm
File Type
db89750a7fab01f50b1eefaf83a00060 MD-5 DOC
bd665cd2c7468002f863558dbe110467 MD-5 N/A
d8aa162bc3e178558c8829df189bff88 MD-5 N/A
9c2ee383d235a702c5ad70b1444efb4d MD-5 EXE
6208516f759accb98f967ff1369c2f72 MD-5 N/A
9632bec3bf5caa71d091f08d6701d5d8 MD-5 N/A
a7662d43bb06f31d2152c4f0af039b6e MD-5 N/A
5cd9b0858b48d87b9622da8170ce8e5d MD-5 DOCX

 

E-mail IDs

E-mail ID
IP Addresses
[email protected] 47.240.73.77
114.67.110.37

 

Domains

userimage8.360doc[.]com
image91.360doc[.]com
welcome.toutiao[.]com

Be informed about these Threats in your Inbox

Sign up now to our Threat intelligence Newsletter and be the first to know about these threats first in your inbox.