By: Ravie Lakshmanan
Systems hosting content pertaining to the National Games of China were successfully breached last year by an unnamed Chinese-language-speaking hacking group.
Cybersecurity firm Avast, which dissected the intrusion, said that the attackers gained access to a web server 12 days prior to the start of the event on September 3 to drop multiple reverse web shells for remote access and achieve permanent foothold in the network.
The National Games of China, a multi-sport event held every four years, took place in the Shaanxi Province between September 15 and 27, 2021.
The Czech company said it was unable to determine the nature of the information stolen by the hackers, adding it has “reason to believe [the attackers] are either native Chinese-language speakers or show high fluency in Chinese.” The breach is said to have been resolved ahead of the start of the games.
The initial access was facilitated by exploiting a vulnerability in the webserver. But before dropping the web shells, the adversary also experimented with the type of files that they were able to upload to the server, only to follow it up with submitting executable code that masqueraded as seemingly harmless images files.
Additionally, attempts were made to reconfigure the server to execute the Behinder web shell, failing which the operators “uploaded and ran an entire Tomcat server properly configured and weaponized” with the post-exploitation tool.
“After gaining access, the attackers tried to move through the network using exploits and bruteforcing services in an automated way,” Avast researchers David Álvarez Pérez and Jan Neduchal said.
Among other tools uploaded to the server included a network scanner and a custom one-click exploitation framework written in Go that enabled the threat actor to carry out lateral movement and autonomously break into other devices within the same network.
“Go is a programming language becoming more and more popular which can be compiled for multiple operating systems and architectures, in a single binary self-containing all dependencies,” the researchers said, calling out the increasing use of Go-based malware to conduct cyber attacks.
“So we expect to see malware and grey tools written in this language in future attacks, especially in [Internet of things] attacks where a broad variety of devices leveraging different kinds of processor architectures are involved.”