The world’s biggest technology and software giants, namely Microsoft, and Google are being threatened by a new group of cybercriminals who are targeting their cloud services. Working in coordination with their Chinese interests, the threat actors are attacking a wide range of organizations with the intent of exfiltrating data.
The security researcher, NCC Group and Fox-IT, taking account of this incident said that these attackers have a “wide set of interest” and their target data ranges from the intellectual property belonging to the victims in the semiconductor Industry to the commuter data from the airways industry.
The actors that are targeting these giants are referred to as Chimer by CyCraft. This group named Chimera is not new for the cyber industry, instead, they have been engaged in such incidents from the year 2019 till the year 2020. However, on every such occasion, they have managed to escape the situation without garnering much attention. “Our threat intelligence analysts noticed a clear overlap between the various cases in infrastructure and capabilities, and as a result we assess with moderate confidence that one group was carrying out the intrusions across multiple victims operating in Chinese interests”, added the team of researchers.
The team of researchers briefly explained the scheme of attackers while targeting such organizations. These actors commence their threat process by accessing the username and passwords from the victim’s previous data breaches. They then use the credentials of the victims in credential stuffing or password spray attacks against assorted remote services. Moving ahead, as they obtain the valid accounts of the victims, they use it to access the victim’s VPN, Citrix, or any other remote service with this network access. After entering their network, the actors try to accept all the permissions and get the list of other accounts with the admin privileges. Now they target other accounts from the list and then try their password spraying attack on these accounts. They do this until any other account is compromised by their attack. Lastly, they use this account to load a Cobalt Strike beacon into the memory which later can be used for remote access and command and control (C2).
Following the incident, the security researchers affirmed that they have contained and eradicated the threat from their clients’ network. They further added that “NCC Group and Fox-IT aim to provide the wider community with information and intelligence that can be used to hunt for this threat in historic data and improve detections for intrusions by this intrusion set”.
If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.