China-Linked Hackers Breach East Asian Firm for 3 Years via F5 Devices

 

The suspected China-based cyber espionage actor has been attributed with a prolonged cyber espionage attack that lasted approximately three years against an unnamed organization based in East Asia, in which the adversary allegedly established persistence using legacy F5 BIG-IP appliances, which served as a command-and-control system for the adversary, to evade defences. As a result of the cyber intrusion in late 2023, cybersecurity company Sygnia has been tracking the activity under Velvet Ant. 
Based on their observations, Velvet Ant has been characterized by being capable of pivoting and adapting their tactics to counter repeated attempts at eradication. Sygnia researchers explained in a blog post on June 17 that F5 Big-IP load balancer appliances are often placed at the perimeter of a network or between the segments of it, which are often trusted. 
To gain access to sensitive data, Velvet Ant was seen utilizing different tools and techniques, including the PlugX remote access trojan (RAT), which is a dormant persistence mechanism that can be deployed in unmonitored systems. As well as hijacking DLL search order, sideloading, phantom DLL loading, as well as tampering with the installed security software, the threat actor is believed to have used DLL search order hijacking, sideloading, and phantom DLL loading to install the PlugX malware. The hacking group had a high level of awareness of operational security (OPSEC) by not installing the malware on a workstation that had be

[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.

This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents

Read the original article: