Symantec Reports on Cicada APT Attacks against Japan
Symantec is reporting on an APT group linked to China, named Cicada. They have been attacking organizations in Japan and elsewhere.
Cicada has historically been known to target Japan-linked organizations, and has also targeted MSPs in the past. The group is using living-off-the-land tools as well as custom malware in this attack campaign, including a custom malware—Backdoor.Hartip—that Symantec has not seen being used by the group before. Among the machines compromised during this attack campaign were domain controllers and file servers, and there was evidence of files being exfiltrated from some of the compromised machines.
The attackers extensively use DLL side-loading in this campaign, and were also seen leveraging the ZeroLogon vulnerability that was patched in August 2020.
Interesting details about the group’s tactics.
News article.
Etienne • November 20, 2020 8:08 AM
I read that a lot of these cartels use email to begin their attack, and it still surprises me that legacy email providers distribute spam and phishing emails willingly.
I use a legacy email system from a billion dollar company, and everyday my spam folder fills up, and even some obvious spam makes it way into my normal inbox.
It’s almost like it is an inside job.