Cybersecurity experts at Natto Thoughts have uncovered a significant escalation in cyber attacks orchestrated by Chinese hackers, who are leveraging open-source tools like Nmap and NBTscan to infiltrate computer networks worldwide.
Widespread Abuse of Open-Source Scanning Tools
Nmap, short for Network Mapper, is a free and open-source network scanning tool developed by Gordon Lyon. It’s widely used by network administrators to discover hosts and services on a computer network by sending packets and analyzing responses. However, Chinese state-sponsored threat groups such as APT41, APT10 (also known as menuPass, Stone Panda, POTASSIUM), GALLIUM (Granite Typhoon), Stately Taurus (Mustang Panda), and APT40 (TA423, Red Ladon, BRONZE MOHAWK, Gingham Typhoon) have been repurposing these legitimate tools for malicious activities.
These groups focus heavily on reconnaissance techniques in their cyber operations. By extensively using network scanning utilities like Nmap and NBTscan, they perform footprinting to locate vulnerable targets within computer networks. NBTscan, in particular, scans for NetBIOS name information over TCP/IP networks, revealing details such as IP addresses, NetBIOS computer names, current logins, and MAC addresses. This information is crucial for attackers to map network topologies and identify potential entry points.
Technical Insights into Attack Strategies
APT40 has been observed utilizing the ScanBox reconnaissance framework in phishing campaigns, often customizing it to impersonate legitimate news websites. These threat actors target a wide array of sectors, including telecommunications companies, managed IT service providers, government agencies, and critical infrastructure organizations.
The attackers exploit a range of vulnerabilities, some of which date back to 2017, indicating a persistent exploitation of known security flaws. They employ a combination of off-the-shelf tools and custom-developed software for network discovery, lateral movement within networks, and data exfiltration. Notable operations attributed to these groups include Operation Cloud Hopper and Operation Soft Cell by APT10, as well as various activities linked to APT40 detailed in a 2024 advisory by the Five Eyes intelligence alliance.
These threat actors are known to use modified versions of NBTscan and Nmap alongside custom malware to scan for open ports, gather system information, and map out network infrastructures. Their consistent use of these techniques over the past decade, coupled with sophisticated social engineering tactics, underscores their effectiveness in executing long-term cyber espionage campaigns against global entities.
Evolving Tactics in Recent Cyber Espionage Campaigns
Recent campaigns like Operation Diplomatic Specter and Earth Krahang highlight the evolving tactics of Chinese-linked APT groups. These campaigns illustrate how threat actors are blending established reconnaissance tools with new methodologies to target governmental entities across the Middle East, Africa, and Asia.
The group behind Operation Diplomatic Specter, identified as TGR-STA-0043, employs web scanning and NBTscan for network exploration. They also use tools like LadonGo, a penetration testing toolkit that aids in scanning and exploiting network vulnerabilities. Additionally, researchers have identified the adoption of a new toolkit called “Yasso,” which features SQL injection capabilities and remote shell functionalities, enabling attackers to execute commands on compromised systems remotely.
There are indications that Earth Krahang may be connected to an IT company named i-Soon. This group utilizes an infrastructure that leverages open-source scanners such as SQLmap for identifying database vulnerabilities, Nuclei for template-based scanning, and POCsuite for penetration testing without exploitation. Their operations appear to focus on current political issues, aiming to obtain confidential information from diplomatic, military, and political leaders.
The use of advanced tools like Yasso, which offers database functionalities and command execution capabilities, suggests a shift towards more command-focused operations. This evolution in tactics signifies an ongoing enhancement of their cyber espionage capabilities, making them more adaptable and potentially more dangerous.
Conclusion
The findings by Natto Thoughts highlight a concerning trend where state-sponsored threat groups are repurposing legitimate, open-source tools for malicious activities. By exploiting widely available network scanning utilities, these groups can efficiently conduct reconnaissance and identify vulnerable targets, often remaining undetected due to the legitimate nature of the tools used.
Organizations are urged to stay vigilant by keeping their systems updated with the latest security patches, employing network monitoring solutions to detect unusual activities, and educating employees about the risks of phishing campaigns. As these threat actors continue to refine their tactics, a proactive and informed defense strategy becomes ever more critical to safeguard against potential cyber attacks.