CyCraft
Published in

CyCraft

Smokescreen Supply Chain Attack Targets Taiwan Financial Sector, A Deeper Look

Operation Cache Panda: Zero-Day in Financial Software Exploited by China-Linked Threat Group

Jeremy “Birdman” Chiu, CyCraft Founder & CTO, Cybersecurity
Jeremy “Birdman” Chiu, CyCraft Founder & CTO

Incident Overview

Operation Cache Panda, CyCraft, China APT, Taiwan, Cybersecurity
Fig. 1 — CyCraft MDR’s first detection, auto triage, and alert sent for the malicious executable, PresentationCache[.]exe

ABOUT APT10

Operation Cache Panda, CyCraft, China APT, Taiwan, Cybersecurity
Fig. 2 — CyberTotal Cyber Threat Intelligence Platform Quickly Detected APT10 Activity

Attack Method Analysis

Operation Cache Panda, CyCraft, China APT, Taiwan, Cybersecurity
Fig. 1 — CyCraft MDR’s first detection, auto triage, and alert sent for the malicious executable, PresentationCache[.]exe
Operation Cache Panda, CyCraft, China APT, Taiwan, Cybersecurity
Fig. 3 — CyberTotal Threat Intelligence Surveillance platform detects APT10 activity

Analysis of Attack Techniques

Phase 1 — Initial Access and Establishment of Entry Points

Operation Cache Panda, CyCraft, China APT, Taiwan, Cybersecurity
Fig. 4 — Ant Sword As-Exploits WebShell

Phase 2 — Lateral Movement & Lurking

Operation Cache Panda, CyCraft, China APT, Taiwan, Cybersecurity
Fig. 5 — Malware architecture and activity analysis

PresentationCache Malware Technical Analysis

Operation Cache Panda, CyCraft, China APT, Taiwan, Cybersecurity
Fig. 6 — Comparison of malware and Donut source code
Operation Cache Panda, CyCraft, China APT, Taiwan, Cybersecurity
Fig. 7 — DES CBC encrypted part of the string
Operation Cache Panda, CyCraft, China APT, Taiwan, Cybersecurity
Fig. 8 — It’s easier to crash the party when you can add yourself to Windows Defender’s allowlist
Operation Cache Panda, CyCraft, China APT, Taiwan, Cybersecurity
Fig. 9 — Check SbieDLL.dll

Highlighted Findings

  1. The attackers leveraged a zero-day RCE (remote code execution) vulnerability against a widely used financial software. As this zero-day RCE vulnerability has the potential to severely impact a number of financial organizations, we cannot disclose more details at this time.
  2. With a high degree of confidence, the scope of Cache Panda extends to several major securities traders as the software is ubiquitous.
  3. The attackers were able to leverage a zero-day RCE vulnerability in widely used financial software to execute code on the firms’ servers, move laterally within the system via remote desktop and some novel techniques such as reflective code loading, and collect customer account credentials. This suggests a potential link between these stolen credentials and the sudden Nov 2021 spike in purchases of Hong Kong stocks on the open market; however, it is not conclusive. Although with these stolen credentials, it is entirely possible that the attackers could have launched similar attacks within this same time period.
  4. The objective of Cache Panda does not appear to have solely been financial gain but rather the exfiltration of brokerage information, the scraping of high-value PII data, damaging the reputation of Taiwan financial institutions, and the disruption of investor confidence during a period of economic growth for Taiwan.
  5. The impact of the attack has not yet reached its full extent. In our visibility, at least two securities brokers had to halt trading due to the large volume of unusual purchases. According to news agencies, there may be more. Targeted organizations had to absorb financial losses. Millions of customers were forced to update passwords and enable MFA.
  6. Reflective Code Loading was added to the MITRE ATT&CK framework in October of last year and was observed in the wild in November. It is recommended that defenders stay up-to-date with the latest ATT&CK framework updates, especially techniques targeting their sector.
  7. China-linked APT attacks are rarely financially motivated. The attack behavior demonstrated in Cache Panda shows a potential shift in that known behavior pattern.
  8. It is strongly recommended that all relevant organizations take stricter precautions, patch loopholes, remove possible backdoors and Trojans, and seek immediate, thorough security assessments from professional cybersecurity firms.
Operation Cache Panda, CyCraft, China APT, Taiwan, Cybersecurity, MITRE ATT&CK Framework

Recommended Mitigations

  1. Check and block whether the IoCs listed below and confirm your own defense can detect such methods.
  2. Check whether the host of the outsourced information system contains the As-Exploits web backdoor.
  3. Network segments should be divided and partitioned; access between zones should be managed — especially when connecting with external systems. Strict attention must be paid to API security design. Please refer to the OWASP API Security Guidelines.
  4. A midfield defense line for Detection and Response should be established, long-term monitoring of the internal field, and early detection of attacks. Cybersecurity solutions such as EDR/MDR are critical for detecting strains and monitoring during the eradication and remediation processes.
  5. With a high degree of confidence, the root cause of these attacks is most likely that the commonly used financial software systems related to financial services had not been thoroughly researched and scanned for vulnerabilities. Therefore, more attention must be paid to the security of the supply chain and development processes, including stricter and multiple system security verification procedures via vulnerability assessments, detailed lists of patched vulnerabilities, and the employment of professional PSIRT teams.
  6. These attacks used a C2 domain base used by a previous threat group, highlighting the importance of threat intelligence. Through the combination of the proper threat intelligence, tools, and security solutions, it is possible to detect clues of an upcoming or ongoing attack.
  7. Enterprises should strengthen their own cybersecurity posture from understanding MITRE ATT&CK and the Cyber Defense Matrix (CDM) framework to building a security cycle that strengthens their own posture from the experience of previous security incidents. The implementation of multi-factor authentication or even a zero-trust architecture goes a long way to limiting the maneuverability for attackers.

IOC-SHA1

D42BF66485218F2ED76A8B1D63AF417FD2A82C8B
4ECFC1A89B50CD8DC1B9424C3EFCF63E257525AA
6E6C399BDA3C1F06ADE71053FDDD8FBEFA15029C
EC30990EFD04B15926F2F9DB59F3BFDFEC413C23
7D8EDEDB3104FEE9A422FC4E97B1969DC31C4E66
CE2925BCD3188D3CB6F8BB67CD9D3F2D72FDDC05
BD6069BE81C70E918CF95BBDB30765A90A07FD98
333D9A94DC1A95D3C773BDE232D1BC2756C10518
6B47C2DEE1788017043B456C27E22193537B7A26
49E803BEAA4230E69A216B91757E35840D0C8683
A9541DEB16FFB41B6B4744D409597F9C62F7110E
B6626AE6ED2F24FB82E262A2B766F2E5FD7E5230
7CB09DC4BC7DD68D6AACE7A9628634248F18EBA5
dowon[.]microsofts[.]top
dowon[.]08mma[.]com
cahe[.]microsofts[.]org
cache[.]microsofts[.]cc
cahe[.]3mmlq[.]com
cahe[.]7cnbo[.]com
43[.]245[.]196[.]120
43[.]245[.]196[.]121
43[.]245[.]196[.]122
43[.]245[.]196[.]123
43[.]245[.]196[.]124
23[.]224[.]75[.]93
23[.]224[.]75[.]91

IOC-SHA256

37EB06E936EFAF3643BB484ED29892B7122BC756B213B9FFA4528227716D60FE
5FDD88BF39396E8F81FE89B4CBA63628D2DF0CCC76F2B773448EA95ED7CEF68A
E16FE53A057B8BEB144A101759B65C691D27C21AA7897D3B809668C20C5E05BE
444CF8F45EB326050E12196F6339325DC73EAE6D488F35823E6CD8EA4CD644E4
77FDF1DBC81DB1378961F07C077F005E41FB98B79C8F64141319D3896EC3406A
F1CDC30039FCEEAF96A95D46B1F91ED0009ACC08F4DAB3DE25CF7B4F0616DBA0
164B30CE97A2FEF1397B7C86B6C793E8FC89D3CC9AC0C97AFC8C6002880F0E90
504F61CC0FDA6D7DC834F57D824C17C4FCE49B7DE04C0E9D5D95DD0CC9255A55
B92E95DE665DB75FB8EEB2A6F701D7530528915B88A19185FE15D8C2D816CE23
C032DC9F1C20C574FC4B15D2910FF296859313D5B208B0B763D879D6B470EC95
83FEA821DBF8B66DE3E548E63CA096F72E3D1D8CFE027D5305053D4AF9F7C88A
180E2F03F2F4856D23210CCB976F52172FE57B59E33F54E467BDDCDB99507D7A
3AAB307CBF253F6D5739B25DFBC3437C721B79F3DA260B244B4250527987DCA5

IOC-MD5

375270077E842624BCE08C368CDC62F9
EEADD95725DE21D269933881A8E8B21A
03B88FD80414EDEABAAA6BB55D1D09FC
F1726539E5CF68EBB2124262E695C65E
7D12FA8EEBBD401390F2A5046FF2B4BB
0724AC34E997354CA9FB06D57AF4E29B
A991AC3EB2D5C66DA1BECF002C19B9E6
2949C999C785AA1CA4673FC7FAE58A73
D506ED774089BA11D515F28087DC3E21
9F1BF77452A896B8055D3EA2EF6A6A65
8CE271DA8A84CD3D42552547A8BBAF5B
165758BA40B3CC965D98C1FDE2D56798
ADC84F8C72E65EC85E051FE7CC419332

Everything Starts From Security

Engage with CyCraft

Additional Resources

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
CyCraft Technology Corp

CyCraft automates SOC ops for the Fortune Global 500, national govs, & SMEs with MDR, IR, & threat hunting solutions. Learn more at CyCraft.com