The attacker demanded a $2-million ransom: The attack that resulted in the deployment of the RA World ransomware program, as well as data exfiltration, had the same chain: the toshdpdb.exe loading toshdpapi.dll then decrypting toshdp.dat which resulted in the PlugX variant being deployed. The difference is the attacker then chose to deploy the RA World ransomware and demand a $2-million ransom.”While no infection vector was found, the attacker later claimed that the target’s network was compromised by exploiting a known vulnerability in Palo Alto’s PAN-OS (CVE-2024-0012) firewall software,” the Symantec researchers said. “The attacker then said administrative credentials were obtained from the company’s intranet before stealing Amazon S3 cloud credentials from its Veeam server, using them to steal data from its S3 buckets before encrypting computers.”RA World, originally known as RA Group, is a ransomware operation that first appeared in 2023 and has grown steadily since then. The group has targeted organizations from the US, Europe and Southeast Asia, with the US seeing the highest number of victims.Based on a Palo Alto Networks analysis of victims between mid-2023 to mid-2024 the manufacturing sector was most impacted, followed by transportation and logistics, wholesale and retail, insurance, pharma, and healthcare.
APT and cybercriminal tactics are usually incompatible: The mixture of cyberespionage and ransomware activities is not unheard of, but it is a rare occurrence because these operations typically have competing goals that require different approaches. The goal of cyber espionage is intelligence collection, so remaining undetected in the victim’s network for as long as possible is a priority. Meanwhile, the data encryption part of ransomware attacks is highly visible, immediately giving away the attacker’s presence.However, there have been cases where intelligence agencies have contracted, or forced, private hackers to do their bidding in exchange for protection from prosecution or other privileges. This has resulted in cases where some threat groups appeared to engage in both cyberespionage and financial crimes at the same time. And even though those operations were kept separate, there was an inevitable overlap of toolsets and tactics.For example, APT41, also known as Winnti, Axiom, Barium, or Wicked Panda, is one of the oldest Chinese cyberespionage groups with its intrusion activities dating as far back as 2007. For a long time, this group operated from a front company called Chengdu 404 Network Technology Company which security experts believe acted as a contractor for China’s Ministry of State Security and the People’s Liberation Army.
China is usually seeking intelligence while North Korea has financial motives: While the group’s targeting often follows China’s geopolitical and intelligence collection interests, it has also been responsible for financially motivated attacks primarily against the online gaming industry. Several Chinese nationals who are suspected members of APT41 were indicted in the US in 2019 and 2020 and are on the FBI’s most-wanted list.North Korean state-run APT groups regularly engage in cybercrime activities and have stolen billions of dollars in cryptocurrency and engaged in fraudulent wire transfers over the years. They have also developed and deployed ransomware. These are typical methods of funding the regime in Pyongyang, which has long been under economic sanctions.Russia is another country with a history of intelligence agencies working with civilian hackers and cybercriminal elements, a trend that has intensified in recent years following its invasion of Ukraine. Microsoft reported last year that the Russian government appears to have outsourced some cyberespionage and sabotage operations to cybercriminal groups.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3824177/unusual-attack-linked-to-chinese-apt-group-combines-espionage-and-ransomware.html
