New data shows China has “taken the gloves off” in hacking attacks on US

[nir]

The new normal: More sophisticated attackers, more destructive attacks.

 

Remember the good old days, when the US and China were supposedly working out new norms for the cybers, and China was going to stop all that hacking of US companies to steal intellectual property? It turns out the Chinese were just upping their hacking game, improving their operational security and penetration skills—learning from the methods of their Russian counterparts.

 

A recent example of that "island hopping" tactic is the "Cloud Hopper" hacking campaign, active since at least May of 2016. In October, DHS issued a new alert on the campaign, warning of a surge in activity by the campaign over the past few months. Cloud Hopper has been attributed to the threat group known as APT 10, aka Stone Panda—a hacking group that has been tied to the Chinese Ministry of State Security's Tianjin Bureau.

 

Based on data from incident response companies gathered by the security software vendor Carbon Black, China is now the leading source of cyber-attacks. Of 113 investigations conducted by Carbon Black's incident response partners in the third quarter of 2018, nearly half—47 in total—came from China or Russia.

 

"What was notable was that we saw a resurgence of Chinese attacks, where they actually surpassed Russian activity," said Carbon Black's chief cybersecurity officer, Tom Kellermann. "And I think that's in direct line with the increasing tension with the South China Sea coupled with the trade war. Essentially, the Chinese have taken the gloves off."

 

The data backing this analysis, part of a report released this week by Carbon Black, came from 37 incident-response firms that partnered with the company. It's the second quarterly report compiled from incident-response data and an attempt by the intrusion-response community to understand more about the behavior of attackers—and how they manage to spend so much time within networks before they are detected.

 

"The Verizon data-breach report, which we all appreciate as being probably the best report out on data breaches, always failed to explain why [dwell time] was over 130 days," Kellermann told Ars. That Verizon report "talked about the vector and some of the weaknesses in security but never described why that dwell time was so expansive. This report is specifically trying to drive out how are they getting in, how are they staying in, how are they moving laterally, how are they changing, and are they becoming more punitive."

 

And, in fact, attackers on the whole do appear to be turning more "punitive"—engaging in more destructive behavior either as part of a deliberate sabotage campaign or to counter the efforts by victims of intrusions to respond to them. But as far as the Chinese attackers go, it's clear that they have also significantly upped their game, improving their stealth and tactics in a way that has allowed them to dig deeper into targets and stay longer than before.

 

"They're doing a much better job of operational security for their campaigns and doing a tremendous amount of 'island hopping'—targeting the major service providers and corporations' brands in order to island hop into their constituencies," Kellermann explained.

 

This type of stealth is a significant departure from Chinese state-sponsored hacking operations in the past. "The joke used to be that when the Chinese would come after you, they would throw the kitchen sink at you, and inevitably they would get into your house, and it would sound like a bunch of drunks in your kitchen at night," Kellermann said. "The Russians, if they targeted you— you would just wake up feeling funny in the morning."

 

But now, the Chinese groups are mirroring some of the clandestine techniques used by the Russian underground and "cyber militias," including:

 

Using multiple command and control (C&C) systems to communicate with backdoors and other malware, with at least one of them on a "sleep cycle"—left inactive until after other C&C systems have been purged by the targeted organization's security team.

 

"Living off the land" and moving within the targeted network by using 'known good tools' (legitimate software packages or system tools that may already be installed on the target network, such as PowerShell).

 

Using techniques such as process hollowing to conceal malicious code within an existing system process to evade detection, Windows Management Instrumentation, and other alternatives to PowerShell to conceal activity on Windows systems.

 

Chinese hacking groups aren't the only ones to have improved their game against intrusion detection and response. Attackers from Iran, North Korea, and Brazil have also been evolving their behavior to adjust to the widespread use of breach-detection tools and common intrusion-response practices. The data gathered for the report showed that more than 40 percent of the incident-response investigations in the last three months found a secondary command and control network in place "on the sleep cycle." And more than 50 percent of the incidents were cases where the victim was not the primary target of the attack.

 

That said, the resurgence of the Chinese attacks is concerning when combined with their shift in tactics. While Chinese attacks against US targets never really stopped after the 2015 agreement on cyber norms, they had become much less brazen—which Kellermann attributes to their realization that they were "terrible at operational security." But they may have refocused their activities elsewhere—targeting India, Japan, and South Korea—as they learned more about how companies defended themselves and responded to breaches.

 

Bringing the pain

 

Across the board, the financial sector was the most commonly targeted victim, followed by healthcare. "With North Korea and Iran, as well as Russia, they're understanding how they can offset economic sanctions by targeting the financial sector," Kellerman suggested.

 

But there was also a spike over the third quarter of 2018 in attacks against manufacturing companies—a type of attack that has been frequently tied to Chinese economic espionage. "Hacking a manufacturing entity, it's very hard to create a liquid asset to capitalize financially on that," Kellermann noted, "unless it's for the purpose of economic espionage or economic sabotage."

 

There was another spike that drew notice—a shift toward what Kellermann described as "a more punitive adversary." In 32 percent of the documented investigations over the past quarter, the attackers engaged in some sort of data destruction—either as economic sabotage or as a way of countering incident-response efforts by the victim.

 

"We're seeing destruction of logs—not just the logs specific to the footprint of the adversary on various hosts, but just massive amounts of logs," Kellermann said, "and that should be concerning to all of us. In the first three months we looked at, back in the spring of this year, we were at 10 percent for destructive attacks. Now we're at 32 percent. Is it the geopolitical context, or is it just that the actors have become far more punitive?"

 

The trend suggests, Kellermann said, that the days of "the straight burglary" of data are now gone, and sophisticated attackers are turning toward the tactics of a home invasion. Kellermann compared most companies' tactics in dealing with intrusions to responding to an intruder by "standing at the top of the steps and shouting 'I've got a gun and the police know you're here' and assuming that would scare them away." The problem with that approach, he noted, was that it assumes that there is only one intruder, that the threat is enough to intimidate them to leave, and that the intruder(s) "would not get punitive enough to come upstairs and set the house on fire."

 

We've already seen the potential threat of purely destructive attacks in the past from malware such as Shamoon, WannaCry, and NotPetya. But as tensions continue to build over trade, that sort of virtual arson attack on networks could become increasingly more common and much more sophisticated in its application. And that's something that current security practices and US "cyber deterrence" don't yet appear to be prepared to deal with.

Source

[steven36]

Why did arstechnica  only post half the story and blame it all off on the Chinese ?

 

Quote

 

Quarterly Incident Response Threat Report: Key findings

• China and Russia are responsible for nearly half of all cyberattacks. Of 113 investigations conducted by IR partners in the third quarter, 47 stemmed from those two countries alone, while Iran, North Korea, and Brazil were also the origin of a considerable amount of recent attacks.
• Cyberattacks from these countries are politically motivated and "tailored to specific targets, cause system outages, and destroy data in ways designed to paralyze an organization's operations."
• Nearly two-thirds of IR professionals believe cyberattacks will influence the upcoming US elections.
• Elections are further threatened by marketplaces on the dark web where multiple types of election-related items are for sale such as voter databases, social-media-based influence campaigns, and hackers for hire to engage in campaigns intended to commit anti-government espionage endeavors.
• More than half of IR firms encountered instances of attempted counter-incident response.
• Half of today's attacks leverage "island hopping," whereby attackers target organizations with the intention of accessing an affiliate's network.
• A growing number of attacks are now taking advantage of Internet of Things (IoT) vulnerabilities — and not just consumer devices. An alarming 38% of IR professionals saw attacks on enterprise IoT devices, which can become a point of entry to organizations' primary networks, allowing island hopping.
• Destructive attacks are on the rise. IR firms said that 32% of victims experienced destructive attacks.
• The industry most frequently targeted by cyberattacks was the financial sector, followed by healthcare, retail, and manufacturing.
• Concerns about cyberattacks have shaken confidence in the voting system.

 

https://www.techrepublic.com/article/carbon-black-incident-response-threat-report-us-elections-are-endangered-by-cyberattacks/

 

Carbon Black also blamed the Russians ,Iran  and Brazil  too. Only thing different  from 2016  now  they are blaming China too .. There finding are not very different  than what the Fbi said months ago  . But 113 investigations is nothing  compared to realty.

 

 

1. Quote

    

   1. There is a hacker attack every 39 seconds, affecting one in three Americans each year.
   2. 95 percent of breached records came from three industries in 2016: Government, retail, and technology.
   3. 43 percent of cyber attacks target small business. 64% of companies have experienced web-based attacks.  62% experienced phishing & social engineering attacks. 59% of companies experienced malicious code and botnets and 51% experienced denial of service attacks.
   4. The average cost of a data breach in 2020 will exceed $150 million, as more business infrastructure gets connected.
   5. Since 2013 there are 3,809,448 records stolen from breaches every day, 158,727 per hour, 2,645 per minute and 44 every second of every day.
   6. Over 75% of health care industry has been infected with malware over last year.
   7. Large-scale DDoS attacks up 140 percent in 2016’s fourth quarter.
   8. Approximately $1 trillion is expected to be spent globally on cybersecurity from 2017 to 2021.
   9. Unfilled cybersecurity jobs worldwide will reach 3.5 million by 2021. More than 209,000 cybersecurity jobs in the U.S. are unfilled, and postings are up 74% over the past five year.
   10. By 2020 there will be roughly 200 billion connected devices. The risk is real with IoT and its growing. According to figures compiled within a recent Symantec Internet Security Threat Report, there are 25 connected devices per 100 inhabitants in the US.
   11. Only 38 percent of global organizations claim they are prepared to handle a sophisticated cyber attack.
   12. Total cost for cyber crime committed globally has added up to 100 billion dollars. Don’t think that all that money comes from hackers targeting corporations, banks or wealthy celebrities. Individual users like you and me are also targets. As long as you’re connected to the Internet, you can become a victim of cyber attacks.

    

    

    

    

   https://www.cybintsolutions.com/cyber-security-facts-stats/

 

 

Outfits like Carbon Black don't want hacking to go away  are they would not have a job  . Since the last decade  after they got virus under control vendors make up false positives  to scare people into buying there products.

https://en.wikipedia.org/wiki/Scareware

https://discussions.apple.com/thread/4574354

https://www.zdnet.com/article/symantec-accused-of-using-scareware-tactics-to-sell-full-version-products/?tag=nl.e550

https://www.pcmag.com/article2/0,2817,2373975,00.asp

 

On Linux i just use  open source Clam TK AV to scan stuff I download,  on Windows i just use NOD32  . I don't really trust any vendor they all make up false positives for things that are not real  malware  like cracks and packers. In all the years i downloaded i only came across like 2 infected cracks but 1000s of false positives .Most malware I found were attached to and installer  that was real and the AV detected  it and never let it download are someone put bad code in a addon or software to hack someone like what happen with CC Cleaner and Kodi before . Normal people don't need to worry about state hackers as much as they do blackhats who do it for peanuts . Businesses need to worry about both .

 

 U.S. launches aggressive campaign to thwart China’s economic attacks

https://www.washingtonpost.com/world/national-security/with-new-indictments-us-launches-aggressive-campaign-to-thwart-chinas-economic-attacks/2018/11/01/70dc5572-dd78-11e8-b732-3c72cbf131f2_story.html?noredirect=on

 

If what they say is true Obama was a fool   because the Micron attack took place under his watch  and the The U.S.-China Cyber Espionage Deal..Also Fire-eye report was totally wrong  so that's how much you can believe these kind of reports and Kaspersky has data to back it up that attacks in Russia by China was on the rise. 

Quote

 

FireEye released a report in June 2016 that claimed the the number of network compromises by the China-based hacking groups it tracks dropped from 60 in February 2013 to less than 10 by May 2016. Absence of evidence is not the same thing as evidence of absence, and the Chinese may be becoming more stealthy and sophisticated in their attacks. Indeed FireEye noted that decline in number of attacks may be accompanied by a rise in the sophistication of attacks. U.S. Assistant Attorney General John Carlin confirmed the company’s findings that attacks were less voluminous but more focused and calculated. Chinese hackers may have shifted their focus to other targets. Kaspersky Labs reported Chinese hacking of Russian defense, nuclear, and aviation industries rose nearly threefold in the first seven months of 2016.

 

https://www.cfr.org/blog/us-china-cyber-espionage-deal-one-year-later

 

This year China are acting like they friends with Russia but from Kaspersky reports in the past you can't trust them and from deals the USA made in the past you can't trust  any deal they make ..They don't care what country they steal  from if they can profit from it. They befriend  you then steal your tech and sell it back too you cheaper than you make it. 

 

What i don't understand now the USA got Kaspersky out the way and most whistle blowers  its always  some other country .. But from 2013 -2017  it was always  the  CIA  ,FBI and NSA done something, seems like we took a step backwards  in Time ... Everyone  turning a blind eye to what the USA and UK spooks is up too  once again  like it was before 2013.

[nir]

Keep reporting.