Chinese-Affiliated Hackers Breach East Asian Company for 3 Years Via F5 Devices
An alleged Chinese-associated cyber espionage group has been identified as the perpetrator of a long-lasting breach on an undisclosed organization located in East Asia for approximately three years. The group managed to maintain persistence by utilizing outdated F5 BIG-IP devices and leveraging them as an internal command-and-control (C&C) mechanism for evasion tactics.
The cybersecurity firm Sygnia, which intervened in the breach in late 2023, has labeled the activity as Velvet Ant, describing it as possessing advanced capabilities to swiftly adjust and modify their strategies to counter remediation efforts.
“Velvet Ant is a sophisticated and forward-thinking threat actor,” stated the Israeli company in a technical report shared with The Hacker News. “They gathered sensitive data over an extended timeframe, concentrating on customer and financial records.”
The attack sequences involve the deployment of a well-known backdoor named PlugX (also known as Korplug), a modular remote access trojan (RAT) extensively utilized by espionage groups associated with Chinese interests. PlugX heavily relies on a method known as DLL side-loading for infiltration purposes.
Sygnia revealed that the threat actor also tried to disable endpoint security solutions before implanting PlugX, utilizing open-source tools like Impacket for lateral movement.
Another discovery made during incident response and mitigation efforts was an updated version of PlugX that utilized an in-house file server for C&C, enabling the malicious traffic to blend in with legitimate network operations.
“This resulted in the threat actor deploying two iterations of PlugX within the network,” noted the company. “The initial version, configured with an external C&C server, was installed on endpoints with direct internet connectivity, facilitating the extraction of sensitive details. The second iteration lacked a C&C configuration and was exclusively deployed on older servers.”
In particular, the secondary variant was discovered to have utilized outdated F5 BIG-IP devices as a hidden channel to interact with the external C&C server by sending commands via a reverse SSH tunnel, once again emphasizing how compromising edge devices can provide threat actors with long-term persistence.
“For a mass exploitation event to occur, all that is needed is a vulnerable edge service, indicating a software component that is accessible from the internet,” stated WithSecure in a recent analysis.
“Such devices are typically designed to enhance network security, but vulnerabilities in these devices have been frequently exploited by attackers, providing an ideal entry point into a targeted network.”
Subsequent forensic examination of the compromised F5 devices revealed the presence of a tool named PMCD that contacts the threat actor’s C&C server every hour to receive commands to execute, in addition to other tools for capturing network packets and a SOCKS tunneling utility named EarthWorm that has been utilized by threat actors like Gelsemium and Lucky Mouse.
The exact initial breach method – be it spear-phishing or exploiting known vulnerabilities in publicly exposed systems – used to infiltrate the target environment remains unknown at present.
This development comes on the heels of the emergence of new China-affiliated groups known as Unfading Sea Haze, Operation Diplomatic Specter, and Operation Crimson Palace, all observed targeting Asia with the aim of collecting confidential information.
About Author
