Spear-phishing emails used to infiltrate network infrastructure.
Gambling and gaming businesses have been subjected to an advanced multi-stage cyber-attack by Chinese state-sponsored threat operation APT41.
According to media reports, spear-phishing emails may have been leveraged by APT41 to infiltrate targeted network infrastructure, which would then be deployed with a DCSync attack that enables password hash exfiltration.
APT41 would then exploit any obtained credentials to allow post-exploitation and reconnaissance efforts, and after weeks of inactivity, attackers resumed to launch an obfuscated JavaScript code that functions as a loader for a succeeding machine-fingerprinting payload targeted at devices with the '10.20.22' substring within their IP addresses.
"This highlights which specific devices are valuable to the attacker, namely those in the subnets 10.20.22[0-9].[0-255],” researchers added. “By correlating this information with network logs and the IP addresses of the devices where the file was found, we concluded that the attacker was using this filtering mechanism to ensure only devices within the VPN subnet were affected."
Written by
Dan Raywood
Senior Editor
SC Media UK
Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.
Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.
