Cybersecurity Breach Targets China’s National Games Systems
In a significant cybersecurity incident, an unnamed group of hackers proficient in the Chinese language successfully penetrated systems linked to China’s National Games last year. According to insights from cybersecurity firm Avast, the breach occurred just 12 days before the start of the event, which took place in Shaanxi Province from September 15 to 27, 2021.
Avast detailed that attackers gained access to a web server by exploiting a vulnerability, allowing them to deploy multiple reverse web shells aimed at establishing a persistent foothold within the network. The attackers demonstrated a sophisticated approach, first testing various file uploads before executing code that masqueraded as innocuous image files.
The Czech-based firm stated it has yet to determine the specifics of the compromised information but noted a strong likelihood that the attackers are native Chinese speakers or possess high fluency in the language. Avast reported that the situation was addressed before the commencement of the games, ensuring some level of operational integrity was maintained.
During the initial phase of the attack, the hackers not only exploited existing vulnerabilities but also attempted to reconfigure the server for their malicious activities. Their efforts included attempts to integrate the Behinder web shell, which ultimately did not succeed. Instead, the group opted to upload a fully weaponized Tomcat server equipped with several post-exploitation tools that enabled further actions within the breached network.
Avast researchers, David Álvarez Pérez and Jan Neduchal, indicated that the hackers moved laterally through the network, utilizing automated exploits and brute force techniques to gain further access to internal resources. This lateral movement strategy is commonly classified under the MITRE ATT&CK framework, particularly concerning techniques related to initial access and persistence.
In addition to the web shells, the attackers introduced a network scanner and a custom exploitation framework programmed in Go, which facilitated ongoing lateral movements and automated intrusions into other devices on the network. The growing trend of Go-based malware highlights the increasing use of this programming language as a platform for cyber attacks, especially in environments with varying hardware architectures.
Given the specific methods employed in this breach, it is plausible that attackers utilized adversary tactics related to initial access, persistence, and privilege escalation. Organizations should remain vigilant regarding their cybersecurity defenses, particularly as the threat landscape evolves and attackers adopt increasingly sophisticated techniques.
In conclusion, this incident serves as a cautionary tale for businesses, emphasizing the importance of securing web servers from potential vulnerabilities that could lead to significant breaches. As cyber threats continue to pose challenges, maintaining robust cybersecurity measures will be critical in mitigating risks associated with such targeted attacks.
