Symantec Reports on Cicada APT Attacks against Japan

Symantec is reporting on an APT group linked to China, named Cicada. They have been attacking organizations in Japan and elsewhere.

Cicada has historically been known to target Japan-linked organizations, and has also targeted MSPs in the past. The group is using living-off-the-land tools as well as custom malware in this attack campaign, including a custom malware — Backdoor.Hartip — that Symantec has not seen being used by the group before. Among the machines compromised during this attack campaign were domain controllers and file servers, and there was evidence of files being exfiltrated from some of the compromised machines.

The attackers extensively use DLL side-loading in this campaign, and were also seen leveraging the ZeroLogon vulnerability that was patched in August 2020.

Interesting details about the group’s tactics.

News article.

Posted on November 20, 2020 at 6:05 AM3 Comments

Comments

Etienne November 20, 2020 8:08 AM

I read that a lot of these cartels use email to begin their attack, and it still surprises me that legacy email providers distribute spam and phishing emails willingly.

I use a legacy email system from a billion dollar company, and everyday my spam folder fills up, and even some obvious spam makes it way into my normal inbox.

It’s almost like it is an inside job.

xcv November 20, 2020 12:57 PM

@ O.P.

The group is using living-off-the-land tools

There’s something off-color about the humor in that article. Tractors and farming implements probably don’t qualify, and neither do hunting rifes and fishing poles. Battery backups and generators for computer work are neither unusual nor all that remarkable.

Unless there is a higher authority (electrician’s union boss) trying to fry their computers by spiking the power mains, which I experienced one time right in the middle of doing payroll for a non-union plumbing contractor.

as well as custom malware in this attack campaign, including a custom malware — Backdoor.Hartip — that Symantec has not seen being used by the group before. … DLL side-loading …

The architecture and basic programming assumptions of Microsoft Windows are outdated and hopelessly insecure. If the CVEs and zero-day vulnerabilities could have been fixed that easily, I am certain they would have been a long time ago already, somehow or another. This stuff is poison. There’s a Nazi re-education camp for programmers somewhere, I’m sure.

Clive Robinson November 20, 2020 3:22 PM

@ xcv,

I think you will find “living off the land” means “utilizing what nature provides”, that is the pre-farming “Hunter-Gatherer existance”.

Which in the cyber world will be what comes with the “landscape” of the OS, which as you note,

The architecture and basic programming assumptions of Microsoft Windows are outdated and hopelessly insecure.

They always were, and probably always will be[1], they are after all the “Doormat OS” trying to be the “Handyman OS” but as thr old saying has it, they are,

“The jack of all trades but master of none”

Oh the “jack” in that saying has the same etymology as in a pack of cards where the “jack” is also called the “knave”. You can find the definition of knave online but in English it’s,

“If someone calls a man a knave, they mean that he is dishonest and should not be trusted.”

Some would say that is a reasonable discription of Microsoft based on past performance…

[1] In the UK certain real world or finance service providers are required to say “Previous peformance in no indicator of future performance” but in the Cyber-world so far…

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.