Chinese Hackers Silently Siphoned Trade Secrets For Years
Read also: Rari Capital and Fei Protocol DeFi projects lost over $80M in a hack, Romania hit with DDoS attacks, and more.
Thursday, May 5, 2022
China-linked Winnti Group caught stealing intellectual property from US, European firms
State-sponsored hackers believed to be working on behalf of the Chinese government have been stealing intellectual property and sensitive information from technology and manufacturing firms in North America, Europe, and Asia as part of a years-long cyber-espionage campaign.
Dubbed “Operation CuckooBees,” the campaign conducted by the Winnti APT group (aka APT41, Axiom, Barium, Blackfly, and Bronze Atlas) has been underway since 2019 and has managed to exfiltrate hundreds of gigabytes of information, including intellectual property developed by the targets, such as sensitive documents, blueprints, diagrams, formulas, and manufacturing-related proprietary data.
The threat actors also collected information that could be useful in future attacks like details about the target company’s business units, network architecture, user accounts and credentials, employee emails, and customer data. To reach their goals the attackers leveraged a previously unknown malware dubbed “Deploylog” and abused the Windows CLFS feature and NTFS transaction mechanism to hide the malicious payloads from detection by cyber security solutions.
Cyber crooks steal over $80 million from Rari Capital and Fei Protocol DeFi projects
Decentralized finance (DeFi) platforms Rari Capital and Fei Protocol suffered a hack that resulted in a $80 million loss. The attackers drained funds from several Fuse pools by exploiting a so-called “re-entrancy vulnerability” in Rari's Fuse lending protocol.
Rari Capital and Fei Protocol acknowledged the incident and offered the attackers behind the hack a $10 million bounty if they return the remaining user funds.
Romanian government websites hit with DDoS attacks
Romanian government websites and financial institutions were a target of a series of DDoS attacks launched by Killnet, a pro-Russia hacker group responsible for cyber-attacks against institutions in the US, Estonia, Poland, the Czech Republic, as well as NATO websites.
The attacks, which started on April 29, 2022, impacted websites belonging to the Romanian government entities, including defense ministry, border police, railway company CFR Calatori and an unnamed financial institution.
Serviciul Român de Informații (SRI), the Romanian intelligence service, said that the DDoS attacks were launched using hacked network equipment located outside the country.
Heroku shares details on the April cyber incident involving OAuth token theft
The Salesforce-owned cloud platform Heroku admitted that the compromised GitHub integration OAuth token was used by attackers to gain access to its internal database and exfiltrate the hashed and salted passwords for customers’ user accounts.
The incident in question relates to a theft of OAuth tokens that GitHub revealed in April, which were used to compromise dozens of organizations, including npm. The security breach affected four OAuth applications related to Heroku Dashboard and one from Travis CI.
Last week, GitHub said it believes that the attacks were highly targeted and “the attacker was only listing organizations in order to identify accounts to selectively target for listing and downloading private repositories.”
As Heroku revealed in an updated blog post, the attackers used a compromised token for a Heroku machine account, gained access to its database and downloaded stored customer GitHub integration OAuth tokens. The company has also initiated a forced password reset on some of user accounts “as part of our efforts to enhance our security.”
FBI: BEC attacks have cost more than $43 billion since 2016
Business Email Compromise/Email Account Compromise (BEC/EAC) scams have caused domestic and international losses of over $43 billion over the past six years, with banks located in Thailand and Hong Kong the primary recipients of stolen funds, according to the FBI statistics derived from filings with financial institutions between June 2016 and December 2021.
The stats show a 65% increase in identified global exposed losses between June 2016 and December 2021, which can be partly attributed to the COVID-19 pandemic that forced many organizations and individuals to conduct routine business online, the FBI said.
What’s next:
- Follow ImmuniWeb on Twitter and LinkedIn
- Subscribe to newsletter to get the next post automatically
- Explore 18 use cases how ImmuniWeb can help
- See the benefits of our partner program
- Request a demo, quote or special price
- Subscribe to our newsletter
Application Security Weekly is a weekly review of the most important news and events in cybersecurity, privacy and compliance. We cover innovative cyber defense technologies, new hacking techniques, data breaches and evolving cyber law. 
