China nexus threat actors are improving and accelerating weaponization and deployment of exploits for newly discovered people common vulnerabilities and exposures (CVE) and, over the past 12 months, have exploited new vulnerabilities at a “significantly high” rate compared to 2020, according to CrowdStrike eigth year Global Threat Report.
CrowdStrike Intelligence said it confirmed exploitation of two vulnerabilities released in 2020 by China-nexus Advanced Persistent Threat (APT) actors – in Oracle WebLogic and Zoho ManageEngine, respectively – but that last year it was able to confirm 12 vulnerabilities and nine different exploited products, linked to 10 known APTs, including the infamous Wicked Panda (aka APT41 or Barium).
Analysts said that while Chinese APTs have long developed and deployed their own exploits in targeted intrusions, 2021 has seen an increase in the volume of Chinese APT activity, highlighting an evolution in how these groups do their work. .
“For years, Chinese actors have relied on exploits that require user interaction, whether by opening malicious documents or other files attached to emails or visiting websites hosting code. malicious,” the report’s authors wrote.
“In contrast, exploits deployed by these actors in 2021 have focused heavily on vulnerabilities in internet-connected devices or services.”
Among the vulnerabilities favored by Chinese APTs in 2021 were Microsoft Exchange bugs known collectively as ProxyLogon and ProxyShell, and other networking products such as VPNs and routers. They are also increasingly turning to enterprise software products hosted on servers connected to the Internet.
The CrowdStrike team assessed that these exploits are largely independently developed in-house or, in a new twist, acquired from legitimate sources in China.
“In particular,” the team wrote, “the Tianfu Cup Hacking Contest demonstrates the significant exploit development talent within the hacking community in China.
“Exploits submitted to the Tianfu Cup were later acquired by Chinese targeted intrusion actors for use in their operations. In several incidents in 2021, Chinese actors demonstrated their ability to quickly operationalize public exploit code proof of concept.
The latest edition of the report highlights the continued adaptation of state-linked targeted intrusion adversaries to new strategic opportunities and demands, and not just among those linked to China. The other big four nation-state adversaries – Russia, Iran and North Korea – have also used new forms of craft in 2021, such as targeting IT and cloud service providers in the case of the Russia, while the Iranians now prefer to hide their intrusions behind ransomware attacks, and the North Koreans have focused on crypto-related targets to maintain their cash flow.
Beyond the Big Four and other governments with established cyber capabilities, CrowdStrike launched two new “adversary animals” on its threat matrix in 2021 – Wolf for Turkey and Ocelot for Colombia, joining Bear (Russia), Panda (China) and Chaton (Iran). This underscores an increase in offensive capabilities beyond governments traditionally tied to cyber operations, and highlights the growing variety of national objectives.
CrowdStrike also noted the contribution of what it calls private sector offensive actors or “hackers for hire” – Israeli malware developers NSO Group and Candiru fall into this category – and the continued development and proliferation of groups grassroots hacktivists – these groups are given the nickname Jackal in their animal matrix – especially in Belarus and Iran.