Smokescreen Supply Chain Attack Targets Taiwan Financial Sector, A Deeper Look
Operation Cache Panda: Zero-Day in Financial Software Exploited by China-Linked Threat Group
Valentine’s Day this year saw the end of a truly toxic relationship — a prolonged supply chain attack targeting the Taiwan financial and securities trading sector that had begun back in November 2021. Evidence uncovered during a CyCraft incident response (IR) investigation ties these attacks to APT10 — a China state-sponsored hacker group widely believed to be associated with the Chinese Intelligence Agency, the Ministry of State Security (MSS).
The November 2021 attacks disrupted online trading, causing an uproar among the Taiwan public. At least two securities traders had to halt trading due to the volume of unusual purchases. Targeted organizations absorbed the financial losses and suffered the loss of customer trust. In addition, these attacks influenced and manipulated stock prices, damaging financial transaction credibility and honesty. If left unnoticed, these attacks could have had a devastating impact on the financial sector.
The November attacks were originally attributed to password mismanagement and credential stuffing; however, following a security incident response (IR) investigation conducted by CyCraft into a second wave of attacks peaking from the 10th to the 13th of February 2022, new evidence uncovered the exploitation of a severe vulnerability in commonly used financial software aided by the newly identified hacking technique, Reflective Code Loading.
The CyCraft IR investigation uncovered evidence suggesting credential stuffing could have been just a smokescreen to obfuscate other motives and malicious activity.
The true objective of this sophisticated zero-day supply chain attack (dubbed Operation Cache Panda) does not appear to have solely been financial gain but rather the exfiltration of brokerage information, the scraping of high-value PII data (full name, home address, email, credit card numbers, passport number, date of birth, etc.), damaging the reputation of Taiwan financial institutions, and the disruption of investor confidence during a period of economic growth for Taiwan.
The offensive launched against Taiwan financial institutions has become far more severe than initially assumed. The impact of this sophisticated zero-day supply chain attack continues to exert influence. The threat generated from this attack campaign should not be underestimated in scope or potential to harm.
“Our findings into Operation Cache Panda found that the attackers not only made extensive use of DotNet malware and a variety of obfuscation and evasion tools and techniques but also leveraged a novel attack approach with their use of reflective code loading.
It is worth noting that according to past infosec research, China-linked APT attacks have rarely been financially motivated. On the surface, the attack behavior demonstrated in Cache Panda displays a potential shift in that behavior pattern; however, underneath the market manipulation resides the insidious attack behavior that Taiwan has seen time and time again. This dynamic attack behavior coupled with the difficulty in detecting these attacks, the scope and impact radius of these attacks become very serious.
This wasn’t one simple intrusion; this was a series of multiple attacks orchestrated into one campaign that started last year. A number of institutions may have been compromised in this campaign. There has been severe damage to not only the reputation of Taiwan financial institutions but also to investor confidence during a period of economic growth for Taiwan.
It is strongly recommended that all relevant institutions take stricter precautions, patch loopholes, remove possible backdoors and Trojans, and seek immediate, thorough security assessments from professional cybersecurity firms. Stopping the spread and fallout from this security disaster should be considered a national priority.”
— Birdman Chiu, CyCraft Founder & CTO
At 5:27 p.m. on Thursday, November 25 of last year, a number of Taiwan financial institutions and securities traders informed the Taiwan Stock Exchange Corporation (TWSE) and the Financial Supervisory Commission (FSC) that they would be suspending online transactions due to suspicious behavior — large, unusual purchases of Hong Kong stocks via customer trading accounts — as a result of a possible cyberattack. (The stocks were purchased on the Hong Kong stock exchange by customer accounts of Taiwan securities brokers via their Hong Kong subsidiaries.)
After several weeks, IR investigations theorized that the November attacks were most likely due to password mismanagement and credential stuffing; however, the findings were not conclusive and suggested there may have been other causes. Several security countermeasures were taken, including forced password updates and multi-factor authentication.
The November attacks sent shockwaves through the Taiwan financial sector and were soon followed by a frenzy of stricter cybersecurity protocols and countermeasures. Highlighted news articles (in Traditional Chinese) are listed here for your reference:
- 2021–11–26 Securities Firm Reports that due to an Information System Failure, Some Investors Were “Ordered” to Automatically buy Hong Kong Stocks.
- 2021–11–27 Five Securities Firms Targeted by Credential Stuffing Attacks
- 2021–11–30 Major Security Incidents in Securities Firms, Financial Supervisory Commission (FSC) Investigates 3 Companies Targeted by Credential Stuffing Attacks
- 2021–12–15 7 Securities and Futures Firms Hit by Credential Stuffing Attacks, Financial Regulatory Commission Offers 3 Countermeasures
- 2022–01–17 Cyberattacks are on the Rise, Stock Exchange Requires Tens of Millions of Securities Customers to Change Their Passwords Within a Time Limit
- 2022–01–25 Strengthening the Security of Order Placement, 13.62 Million Accounts Have Completed Password Update
- 2022–02–09 Financial Supervisory Commission Calls for Strengthening Cybersecurity of Securities Companies to Ensure the Safety of Securities Transactions
Then, from February 10 to 13, a number of Taiwan financial institutions and securities traders were targeted yet again — some being victims of the November 2021 attacks and others CyCraft customers. CyCraft MDR/EDR cybersecurity solutions observed suspicious login events and files (such as PresentationCache[.]exe in Fig. 1 below) on customer servers and immediately began a detailed investigation. After three days, CyCraft completed IR investigations into both the November 2021 and February 2022 attacks.
Neither the November 2021 nor February 2022 attacks were solely the result of a credential stuffing attack. Recently uncovered evidence points to a zero-day supply chain attack targeting specific financial software.
A vulnerability existing in financial software with a majority market share among Taiwan securities traders was exploited by the attackers, granting them high-level access to multiple firms and allowing them to deploy several backdoors with each firm. Further investigation showed that what was initially presumed to be two separate waves of cyberattacks was actually one prolonged attack campaign in which the attackers leveraged advanced obfuscation techniques not previously observed.
Analysis of the attacker C2 domain, the QuasarRAT backdoor malware, the Hong Kong source IP, and the attacker behavior observed in the attacks has led to a high degree of confidence in attributing the attacks to a China-based threat group and a medium degree of confidence in the specific attribution of APT10. The objective of Cache Panda does not appear to have solely been financial gain but rather the exfiltration of brokerage information, the scraping of high-value personally identifiable information (PII) data, damaging the reputation of Taiwan financial institutions, and the disruption of investor confidence during a period of economic growth for Taiwan.
These attacks are the latest in a series of attacks against Taiwan by China-based threat groups. In early 2020, CyCraft curtailed a year-long attack campaign targeting Taiwan’s semiconductor ecosystem; this attack was attributed to another China-based threat group, Chimera. Again, in April 2020, a CyCraft incident response (IR) investigation into a government agency breach uncovered Waterbear malware — malware designed and distributed by the China-based threat group BlackTech.
The frequency of cyberattacks targeting Taiwan institutions surged by 38% in 2021, reaching an average of 2,644 attacks per week, Taiwan News reports. The global average is 925 attacks per week. This disparity is due to Taiwan’s unique geopolitical situation, high-tech economy, and mature communications infrastructure.
This Advanced Persistent Threat (APT), known as APT10 by MITRE ATT&CK nomenclature, has been active since at least 2006. Common targets of APT10 include healthcare, defense, finance, maritime, biotechnology, energy, and governmental organizations, with an emphasis on targets in Japan and Taiwan. APT10 is widely believed to be associated with the Chinese Intelligence Agency, the Ministry of State Security (MSS).
In 2018, the Federal Bureau of Investigation (FBI) of the U.S. Department of Justice charged two members of APT10, Zhu Hua and Zhang Shilong, with conspiracy to commit computer intrusions, conspiracy to commit wire fraud, and aggravated identity theft. The Department of Justice indictment charges that these individuals acted in association with the Tianjin State Security Bureau and had been engaging in global computer intrusions for more than a decade.
Attack Method Analysis
The attackers exploited the website service vulnerability of the software system management interface. First, they uploaded ASPXCSharp WebShell — commonly used by Chinese threat groups — to control the website host. Then, they used the common intranet penetration tool Impacket to scan intranet devices and deploy the DotNet backdoor program, intending to exfiltrate data of the compromised device.
The attackers made extensive use of the dynamic loading of DotNet Assembly files. Leveraging the recently added adversarial technique Reflective Code Loading (MITRE ATT&CK T1620), the attackers dynamically injected malicious DotNet Assembly code into the system’s legitimate executable. Project Donut can compile Shellcode for different platforms and execute DotNet Assembly through In-Memory. Further analysis uncovered some SharpSploit codes were used to inject DotNet malware, which could obscure non-malicious modules, thereby reducing the probability of detection by antivirus software.
“Adversaries may reflectively load code into a process in order to conceal the execution of malicious payloads. Reflective loading involves allocating then executing payloads directly within the memory of the process, vice creating a thread or process backed by a file path on disk. Reflectively loaded payloads may be compiled binaries, anonymous files (only present in RAM), or just snubs of fileless executable code (ex: position-independent shellcode).
Reflective code injection is very similar to Process Injection except that the ‘injection’ loads code into the processes’ own memory instead of that of a separate process. Reflective loading may evade process-based detections since the execution of the arbitrary code may be masked within a legitimate or otherwise benign process. Reflectively loading payloads directly into memory may also avoid creating files or other artifacts on disk, while also enabling malware to keep these payloads encrypted (or otherwise obfuscated) until execution.”
Reflective Code Loading (T1620) MITRE ATT&CK
Afterward, the DotNet malware would be used with Impacket to spread laterally to the internal host through Remote Service/WMI. Once the control of the internal host was successfully obtained, the Reverse Tunnel RDP would be established to make it easier for the attackers to operate the hacked host through the remote desktop.
Deeper analysis found the attackers used the Chinese cloud file sharing service “Uncle Wen” (文叔叔, https://www.wenshushu.cn/) to download related tools, which would aid in achieving acceptable levels of convenience and anonymity. However, due to this, it was easier for us to track them when they logged into the compromised host via RDP.
The targeted financial software system is used by most financial institutions in Taiwan. Following news and cyber threat intelligence sources, it is known that a number of securities traders have been affected to varying degrees. Affected financial institutions are advised to patch the software system vulnerabilities immediately, limit the access scope of the web management interface, and take an inventory of the IoCs provided by CyCraft at the end of this article, including network IP, file HASH, and malware characteristics.
During the second peak of attacks in February, targeted CyCraft MDR/EDR customers were able to easily detect and monitor malicious activities, as shown in Figure 1 (pictured again below for your ease of reference).
Analysis of Attack Techniques
Phase 1 — Initial Access and Establishment of Entry Points
The WebShell used in these attacks is also used in open-source projects. This particular WebShell improves the Ant Sword WebShell framework (As-Exploits) commonly used by Chinese threat groups, enhances the attacker’s ability to dynamically load and execute DotNet Assembly through GetType Obtain, constructs the Run type of the payload to ensure that no malicious files or Web access records would be left, as shown in Figure 4 below.
Phase 2 — Lateral Movement & Lurking
The attackers used 6 individual malware to carry out this attack (only 3 landed, and the rest were dynamically downloaded and loaded). Each was responsible for different functions; the overall process is shown in Figure 5 below.
PresentationCache[.]exe is the QuasarRAT loader — an open-source backdoor used by APT10 in past attack campaigns. First, it registered itself as a service so that it could reside in the system and load two DLL files, PresentationFrom[.]dll and PresentationStatic[.]dll.
When PresentationCache[.]exe was executed, it grabbed the x86[.]bin and DogCheck[.]bin files from the external file download server and injected these two shellcode files into other processes. These two shellcodes dynamically loaded the DotNET execution environment and loaded the attacker’s DotNet Assembly for subsequent actions.
Among them, x86[.]bin was the main body of the backdoor, which was later changed to the notorious DotNet backdoor QuasarRAT. DogCheck[.]bin was the gatekeeper, responsible for checking the connection status of the backdoor. PresentationCache[.]exe would then be restarted. This ensured that x86[.]bin would only reside in memory, and the main malware would not land. DogCheck[.]bin ensured the operation of the backdoor and strengthened the overall control of the compromised device.
PresentationCache Malware Technical Analysis
Cache Panda leveraged a large number of DotNET related attack techniques, including the use of DotNet Assembly Loader and DotNet Obfuscator, which further increased the difficulty of analysis and investigation. PresentationCache used the open-source project Donut (shown in Figure 6 below), most likely due to its ability to compile Shellcode for different platforms and dynamically load DotNet Assembly.
Executing DotNet Assembly In-Memory can achieve the effect of a fileless attack, greatly reducing the chance of leaving files. This complicated the investigation process as the main body of the malware could not be found due to the data in memory having disappeared.
DotNet Reactor, a commercial DotNET obfuscation tool, was also used to hinder reverse engineering. DotNet Reactor obfuscated the modification of the program control process and also generated DotNET IL dynamically; the program would be solved and executed during the dynamic period. To avoid static analysis, the attackers used many obfuscation techniques, such as using DES CBC to encrypt part of the string to avoid detection (shown in Figure 7 below).
Cache Panda also leveraged a number of defense evasion techniques to avoid detection and prolong persistence. One technique used was to include the malware within Windows Defender’s allowlist (Figure 8).
PresentationCache also checked for SbieDLL.dll to confirm whether or not it was currently located in a sandbox environment of Sandboxie (shown in Figure 9). If so, the malware would stop execution immediately to avoid sandbox analysis.
Cache Panda used the C# implementation and open-source Quasar RAT as the core of the backdoor. Through leveraging a number of open-source or commercial software, the attackers reduced their own malware development time as well as the risk of being associated with one particular malware.
- The attackers leveraged a zero-day RCE (remote code execution) vulnerability against a widely used financial software. As this zero-day RCE vulnerability has the potential to severely impact a number of financial organizations, we cannot disclose more details at this time.
- With a high degree of confidence, the scope of Cache Panda extends to several major securities traders as the software is ubiquitous.
- The attackers were able to leverage a zero-day RCE vulnerability in widely used financial software to execute code on the firms’ servers, move laterally within the system via remote desktop and some novel techniques such as reflective code loading, and collect customer account credentials. This suggests a potential link between these stolen credentials and the sudden Nov 2021 spike in purchases of Hong Kong stocks on the open market; however, it is not conclusive. Although with these stolen credentials, it is entirely possible that the attackers could have launched similar attacks within this same time period.
- The objective of Cache Panda does not appear to have solely been financial gain but rather the exfiltration of brokerage information, the scraping of high-value PII data, damaging the reputation of Taiwan financial institutions, and the disruption of investor confidence during a period of economic growth for Taiwan.
- The impact of the attack has not yet reached its full extent. In our visibility, at least two securities brokers had to halt trading due to the large volume of unusual purchases. According to news agencies, there may be more. Targeted organizations had to absorb financial losses. Millions of customers were forced to update passwords and enable MFA.
- Reflective Code Loading was added to the MITRE ATT&CK framework in October of last year and was observed in the wild in November. It is recommended that defenders stay up-to-date with the latest ATT&CK framework updates, especially techniques targeting their sector.
- China-linked APT attacks are rarely financially motivated. The attack behavior demonstrated in Cache Panda shows a potential shift in that known behavior pattern.
- It is strongly recommended that all relevant organizations take stricter precautions, patch loopholes, remove possible backdoors and Trojans, and seek immediate, thorough security assessments from professional cybersecurity firms.
- Check and block whether the IoCs listed below and confirm your own defense can detect such methods.
- Check whether the host of the outsourced information system contains the As-Exploits web backdoor.
- Network segments should be divided and partitioned; access between zones should be managed — especially when connecting with external systems. Strict attention must be paid to API security design. Please refer to the OWASP API Security Guidelines.
- A midfield defense line for Detection and Response should be established, long-term monitoring of the internal field, and early detection of attacks. Cybersecurity solutions such as EDR/MDR are critical for detecting strains and monitoring during the eradication and remediation processes.
- With a high degree of confidence, the root cause of these attacks is most likely that the commonly used financial software systems related to financial services had not been thoroughly researched and scanned for vulnerabilities. Therefore, more attention must be paid to the security of the supply chain and development processes, including stricter and multiple system security verification procedures via vulnerability assessments, detailed lists of patched vulnerabilities, and the employment of professional PSIRT teams.
- These attacks used a C2 domain base used by a previous threat group, highlighting the importance of threat intelligence. Through the combination of the proper threat intelligence, tools, and security solutions, it is possible to detect clues of an upcoming or ongoing attack.
- Enterprises should strengthen their own cybersecurity posture from understanding MITRE ATT&CK and the Cyber Defense Matrix (CDM) framework to building a security cycle that strengthens their own posture from the experience of previous security incidents. The implementation of multi-factor authentication or even a zero-trust architecture goes a long way to limiting the maneuverability for attackers.
Everything Starts From Security
CyCraft Customers can prevent cyber intrusions from escalating into business-altering incidents. From endpoint to network, from investigation to blocking, from in-house to cloud, CyCraft MDR covers all aspects required to provide small, medium, and large organizations with the proactive, intelligent, and adaptable security solutions needed to defend from all manner of both existing and emerging security threats with real-time protection and visibility across the organization.
Engage with CyCraft
CyCraft secures government agencies, financial institutions, semiconductor manufacturing, police and defense organizations, Fortune Global 500 firms, airlines, telecommunications, SMEs, and more by being Fast / Accurate / Simple / Thorough.
CyCraft automates information security protection with built-in advanced managed detection and response (MDR), global cyber threat intelligence (CTI), smart threat intelligence gateways (TIG), network detection and response (NDR), security operations center (SOC) operations software, auto-generated incident response (IR) reports, enterprise-wide Health Check (Compromise Assessment, CA), and Secure From Home services. CyCraft also collaborates with other cybersecurity organizations, including the International Forum of Incident Response & Security Teams (FIRST) and the Taiwan Cybersecurity Center of Excellence (CCoE).
Meet your modern cyber defense needs by engaging CyCraft at email@example.com
- In early 2020, CyCraft curtailed a year-long attack campaign targeting Taiwan’s semiconductor ecosystem and identified a new China-linked threat group, Chimera.
- In the spring of 2020, a CyCraft incident response (IR) investigation into a government agency breach uncovered Waterbear malware — malware designed and distributed by the China-linked threat group BlackTech.
- In April 2020, CyCraft observed a China-linked threat group use ransomware as a smokescreen for a targeted attack on the CPC Corporation — the largest gasoline supplier in Taiwan. The ransomware was a smokescreen for the attackers’ real objective.
- Out of the 47 Representative AI Startups listed in Gartner’s AI Market Guide, 7 are based in Taiwan, and 5 are based in Hong Kong. But only 1 of the 47 Representative AI Startups focused on cybersecurity products and services — CyCraft.
- Our CyCraft AIR security platform achieved a 96.15% Signal-to-Noise Ratio with zero configuration changes and zero delayed detections straight out of the box.
- Learn more about cybersecurity in our CyCraft Classroom Series. Our latest article, “What is Managed Detection and Response (MDR)?” teaches the benefits of MDR, its unique selling points, and how to make better-informed decisions when choosing an MDR service or vendor.