A few days ago, the Palo Alto Networks Blog published asserted that Unit 42 has identified a group of malware which they associate with the Chinese cyber-criminal group named C0d0so0 or Codoso.

Now, for those of us that do not speak IT, it gets complicated really fast.

So let's take it step by step.

Who or what is Unit 42?

Palo Alto Network's description of Unit 42 is as follow :

Unit 42 is the Palo Alto Networks threat intelligence team. Made up of accomplished cybersecurity researchers and industry experts, Unit 42 gathers, researches, analyzes, and provides insights into the latest cyber threats, then shares them with Palo Alto Networks customers, partners and the broader community to better protect enterprise, service provider, and government computing environments.

Analyzing data collected from criminal activities allows Unit 42 to explain the motivations and methods behind the cyberattacks. This is not only instructive, it's also really useful. If someone steals official papers from your safe, you will want to know how they managed to open it, how did they know that something of interest would be inside, why did they pick you among others, and what they intend to do with these papers. You will want to know the answers to these questions to protect yourself against future threats and to assess the consequences of the infraction. These informations must be accessible as fast as possible to Chief Security Officer within organizations, who will then work with public relations, lawyers and other specialists towards a strategy to handle the problem.

Back to the theft who stole your official papers now.

You call the police, and wait for them to the scene of the crime.

They will certainly take your deposition, but it is very likely that you will never hear from them again. If you want to know more, you will most likely need help from the private sector.

Cyber-security firms are the equivalent of independent detectives. They fill in where the police can't because of lack of ressources or knowledge.

Don't go thinking that these cyber security teams are a bunch of geeks out of highschool. Unit 42 for instance, is composed of :

• A Chief Security Officer ;

• An Architect-threat intelligence and ;

• A few cyber threat intelligence analysts

(Fancy titles, I know. Very illustrative of the militarisation of cyberspace).

Who is this Codoso group that you speak of?

"This group is well known for a widely publicized attack involving the compromise of Forbes.com, in which the site was used to compromise selected targets via a watering hole to a zero-day Adobe Flash exploit. Compared to other adversary groups, C0d0so0 has shown the use of more sophisticated tactics and tools and has been linked to leveraging zero-day exploits on numerous occasions in combination with watering hole and spear phishing attacks." (Palo Alto Network's )

Before we go any further, you probably want to know what is meant by "watering hole" and "spear phishing attacks".

According to Invincea, "watering hole attacks (...) are like traditional drive-by downloads" but "highly targeted in nature". It's basically "the hijacking of legitimate websites to push malware". The attack is then a two-step process :

1. The hacker identifies a website that they know the victims like to visit. For instance, members of a given university will often browse the university's website. If your target is McGill U's researchers, you can use the McGill website as a the watering hole.

2. The hacker exploits a vulnerability in the website (this can be done using malware packages that identify vulnerabilities) and hides a malware on the site without the site owner knowing. The users are infected by browsing the website.

Spear phishing attacks are emails that appear to be from someone or a business that you know, but it's not the case and it allows hackers to access personal information. It involves somme type of actions on the part of the victim.

Ok, so what is Codoso up too now? And why should I be concerned?

Well, they kind of disappeared from the map for a while, until they were spotted again by Unit 42. They are using very similar tactics than they did with Forbes' website.

According to Unit 42 experts, Codoso is attacking specific sectors : academic establishments, telecommunications, manufacturing, legal services and technology. According to Leo Taddeo, chief security officer at Cryptzone, who spoke to SCMagazineUK, it appears that Codoso is trying to obtain valuable economic intelligence in order to maintain competitiveness for the Chinese industries. Specifically, he identifies China as "the most prolific state actors deploying cyber-espionage to provide state-owned enterprises an economic advantage".

Practically, this means that if you can have a very interesting start up based on a new innovation and a Chinese hacker will steal the commercial plan and replicate your product for a cheaper price (and often for a lesser quality). You know that Iphone plug that you bought cheaper (from China) than the regular plug, but it doesn't last really long and doesn't charge your phone as fast? It's about the same principle.

How did Unit 42 identified Codoso ?

It involves a complex technical analysis of the modus operandi of the malware. This is judicial jargon.

IT people commonly refers to TTP (tactics, techniques and procedures) as opposed to modus operandi.

Anyway, Unit 42 identified a set of malware which used sophisticated watering hole and concluded that :

The malware variants in question do not appear to belong to any known malware family, although the structure of the network communication does bear a resemblance to the Derusbi malware family, which has shown to be unique to Chinese cyber espionage operators. Past observations of Derusbi in various attack campaigns indicate the version used was compiled specifically for that campaign. Derusbi has had both the client and server variants deployed, using different combinations of configurations and modules. The newly discovered activity is consistent with this procedure, with compile times only a few days prior to the observed attacks.

Here's what the Structure of Network Communication looked like : (from Palo Alto Networks)

They then managed to identify the primary C2 servers used, and realized the IP led them to Hong Kong.

Wait, "primary C2 servers" you said? This refers to the Command and Control (C2) server used by attackers to maintain communications with compromised systems within a target network. It's through this server that commands are issued to compromised computers.

#China #cyberespionage #malware #wateringholeattacks #spearphishing #TTP #Commandandcontrolserver