Spear-phishing emails used to infiltrate network infrastructure.
Gambling and gaming businesses have been subjected to an advanced multi-stage cyber-attack by Chinese state-sponsored threat operation APT41.
According to media reports, spear-phishing emails may have been leveraged by APT41 to infiltrate targeted network infrastructure, which would then be deployed with a DCSync attack that enables password hash exfiltration.
APT41 would then exploit any obtained credentials to allow post-exploitation and reconnaissance efforts, and after weeks of inactivity, attackers resumed to launch an obfuscated JavaScript code that functions as a loader for a succeeding machine-fingerprinting payload targeted at devices with the '10.20.22' substring within their IP addresses.
"This highlights which specific devices are valuable to the attacker, namely those in the subnets 10.20.22[0-9].[0-255],” researchers added. “By correlating this information with network logs and the IP addresses of the devices where the file was found, we concluded that the attacker was using this filtering mechanism to ensure only devices within the VPN subnet were affected."
Written by
Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.
