Earlier last year the Nation Games of China were breached by a Chinese language-speaking hacking group.
According to Avast, they discovered the attackers gained access to a web server 12 days prior to the start of the event on September 3. They managed to drop multiple reverse web shells for remote access and achieve a permanent foothold in the network.
The National Games of China is a multi-sport event that takes place every four years, last year it took place in Shaanxi Province between September 15 and 27, 2021.
The cybersecurity firm said it was not able to determine the nature of the information stolen by the bad actors. Though the hackers are believed to be native Chinese language speakers or with high fluency in Chinese, the breach was fixed before the games kicked off.
The bad actors used the initial access to further exploit a vulnerability in the webserver. While they also experimented with the type of files that they were able to upload to the server before they dropped the web shells. This was followed up with submitting executable code that masqueraded as seemingly harmless image files.
The bad actors also tried to make changes to the server in order to execute the Behinder web shell. Though they failed at this, to upload and run an entire Tomcat server properly configured and weaponized” with the post-exploitation tool.
Avast researchers David Álvarez Pérez and Jan Neduchal said, “After gaining access, the attackers tried to move through the network using exploits and brute-forcing services in an automated way.”
They also managed to upload a network scanner and a custom one-click exploitation framework written in Go. The threat actors with it were able to carry out lateral movement and autonomously break into other devices within the same network.
According to the researchers, hackers relied on increasing the use of Go-based malware to conduct cyber attacks. “Go is a programming language becoming more and more popular which can be compiled for multiple operating systems and architectures, in a single binary self-containing all dependencies. So we expect to see malware and grey tools written in this language in future attacks, especially in [Internet of things] attacks where a broad variety of devices leveraging different kinds of processor architectures are involved.”
Sipalay City mayor’s Facebook Account Hacked
Chinese Hackers Target Taiwanese Financial Institutions with New Stealthy Backdoor
Swissport – World’s Largest Airport Ground Service Hit By Ransomware Attack