Today, Cybereason released new threat research highlighting a multi-year cyber espionage operation led by Winnti, a Chinese Advanced Persistent Threat (APT) group targeting technology and manufacturing companies across the US, Europe, and Asia to steal trade secrets. 

Cybereason’s research also unveiled some of the core obfuscation techniques used by the attackers, such as using the Windows Common Log File System (CLFS) mechanism and NTFs transaction manipulations to conceal malicious payloads and evade detection by traditional security products. 

While Winnti’s campaign primarily targeted technology and manufacturing companies, the techniques used by the attacker’s pose a risk to all enterprises, who need to be aware of the techniques used by the attackers to preven them from being exploited by other cyber gangs and APTs who want to steal intellectual property. 

How Operation Cuckoo Bees worked 

As mentioned above, during Operation Cuckoo Bees, most targets were compromised by exploiting Windows CLFS. 

“Cybereason investigators discovered the initial infection vector that was used to compromise Winnti targets consisted of the exploitation of a popular ERP solution leveraging multiple vulnerabilities, some known and some that were unknown at the time of the exploitation,” said Senior Director, head of Threat Research at Cybereason, Assaf Dahan. 

“The threat actors also used the logging framework Windows CLFS by abusing the CLFS undocumented file format, to stealthy store malicious payloads,” Dahan said. 

In this case, the malicious payload was a previously undisclosed piece of malware called, Winnti malware, that had digitally-signed kernel-level rootkits and a multi-stage infection chain designed to avoid detection, so the attackers could collect information to use as part of future cyber attacks. 

The Reality of APT Threats 

APT threats have become a growing concern for enterprises as more nation-states have sought to steal trade secrets and confidential information. 

According to the FBI, since 2018 there have been over 1,000 cases of IP theft related to China’s espionage attempts targeting every sector. 

More recently, earlier this year, CISA, the FBI, and the US Cyber Command Cyber National Mission Force (CNMF), the UK’s National Cyber Security Centre (NCSC-UK), and the National Security Agency released a statement outting the intelligence gathering activities of Iranian government-sponsored APT MuddyWater.

As these intelligence-gathering attacks become more common, organizations need to be prepared if they want to keep these sophisticated threat actors at bay. 

Dahan recommends that organizations that want to defend against these threats follow MITRE and other best practice frameworks to ensure they have the visibility, detection, and remediation capabilities. It’s also critical to protect internet-facing assets and to have the capability to detect scanning activity and exploitation attempts.

“Organizations that are threat hunting in their environment around the clock increase their chances of tightening their security controls and increasing their overall security posture,” Dahan said. 

Any unpatched systems or unprotected accounts will be used to gain entry into an enterprise environment, which highlights that organizations need to have a proactive patch management strategy in place, alongside threat detection technologies like XDR

VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.