Researchers say that a new threat group has targeted cloud services to achieve goals aligning with Chinese interests. Read on to know more…
Researchers with NCC Group and Fox-IT have recently published a report related to a threat actor who has remained undetected for up to three years. Dubbed Chimera, the threat group has been abusing Microsoft and Google cloud services with the goal of exfiltrating data across a broad range of target organizations.
About Chimera Threat Group
The Chimera threat group’s activities were first discovered in 2020 by CyCraft, a cybersecurity startup. CyCraft discovered the threat group when the group conducted a series of coordinated attacks against multiple Taiwanese companies active in the superconductor industry. Their main aim was to steal intellectual property.
Chimera is believed to be a Chinese APT (Advanced Persistent Threat) group operating in the interest of the Chinese state. The group abuses Microsoft and Google cloud services with the aim of exfiltrating information from a broad range of target organizations.
It has been reported that the group managed to remain undetected in victims’ networks for up to 3 years. They remain within victims’ networks to check for new data of interest and user accounts.
The Chimera Threat
The report detailed various incident response engagements related to the Chimera group between October 2019 and April 2020. The researchers analyzed the overlap between the various incidents in infrastructure and capabilities and reported that the Chimera group was carrying out intrusions across multiple victims operating in Chinese interests.
The threat group has targeted a wide range of data from intellectual property in the high-tech sector to PNR data from the airline industry. Chimera has relied on credential theft and password spraying to deploy Cobalt Strike for remote access and command and control. In addition, the group has been using cloud storage web services such as Dropbox, Google Drive, and OneDrive and remote services such as VPN and Citrix, and a few specific tools named PsLogList, NtdsAudit, and Mimikatz. The group’s main objective is to exfiltrate sensitive data from the victim’s networks and check for new data of interest and user accounts.
In a writeup, researchers explain how the attackers use Microsoft and Google cloud services to achieve their goals. In one case, they collected data from Microsoft SharePoint Online in order to exfiltrate information. In other attacks, they changed their C2 domains: in 2019 they began using subdomains under the parent domain appspot.com, which is owned by Google, and azureedge.net, a domain owned by Microsoft and part of its Azure content delivery network.
Modus Operandi
Attackers begin by obtaining usernames and passwords from victims of previous breaches. The credentials are used in credential stuffing or password-spray attacks against a victim’s remote services; for example, Web mail or other online mail services. Once they have a valid account, they use it to access the victim’s VPN, Citrix, or another remote service with network access.
With a foothold in the network, the attackers check the account permissions and try to get a list of accounts with admin privileges. This list helps them launch another password-spraying attack until a valid admin account is compromised. They use this account to load a Cobalt Strike beacon into memory; this is can be used for remote access and command and control (C2).
Recent Attacks
Recently, the North Korean APT group APT37 was seen distributing a cloud-based RAT variant of RokRat to steal data from a victim’s machine and send them to cloud services. In late December, Russian hackers compromised Microsoft Cloud customers and stole emails from at least one private sector company.
Conclusion
Cloud services are being increasingly targeted and the fact that attackers more often than not fly under the radar points to sophisticated intrusion tactics and techniques. In addition, targeting data that is very useful and important for nation-states indicates that the Chimera group may be planning to take its scope of attacks to much broader levels.