HQ/EMEAFind out how we can help your business
Velvet Ant, a suspected Chinese cyber espionage gang, has been involved in an extensive infiltration of an unidentified East Asian organisation for almost three years. The attackers used outdated F5 BIG-IP equipment to keep their foothold and used them as internal command-and-control (C&C) servers to stay under detection.
Velvet Ant is a highly sophisticated and adaptive attacker that can quickly change its strategies in response to remediation efforts, according to cybersecurity specialists. The cybercriminals methodically obtained private data, with a special emphasis on financial and customer information.
Velvet Ant gang used PlugX (Korplug) via DLL side-loading, employing Impacket for lateral movement and disabling endpoint protection.
The employment of PlugX, also known as Korplug, a remote access trojan (RAT) that is commonly connected to Chinese espionage activities, was an essential component of Velvet Ant’s attack approach. PlugX penetrates devices by using a method known as DLL side-loading. Based on the investigation, the threat actors used open-source tools like Impacket for lateral network movement and tried to disable endpoint protection software before delivering PlugX.
By using an internal file server for C&C activities, the attackers’ modified version of PlugX allowed malicious traffic to mix in with regular network activity. Two different PlugX versions were found: one placed on endpoints with direct internet connectivity for data exfiltration and equipped with an external C&C server, and another without a C&C configuration that was only put on legacy servers.
Using reverse SSH tunnels to establish a connection with the external C&C server, the Velvet Ant gang took advantage of old F5 BIG-IP devices as secret communication routes. Despite its intended purpose to improve network security, this technique highlights the danger associated with insecure edge devices, which can be used to establish extended persistence within a target network.
During forensic investigations of the compromised F5 devices, other tools were found. These included PMCD, which polls the C&C server for commands every 60 minutes, and EarthWorm, a SOCKS tunnelling tool that threat groups like Gelsemium and Lucky Mouse previously used. In order to enhance their espionage abilities, the attackers employed applications designed to intercept network packets.
It is unclear how the target environment might be initially penetrated, with potential approaches including spear-phishing or exploiting known vulnerabilities in systems exposed to the internet.
This issue fits into a larger incident of Chinese-linked cyber espionage, with other organisations, including Operation Diplomatic Specter, Unfading Sea Haze, and Operation Crimson Palace, focusing on Asia to obtain sensitive data.
Velvet Ant’s use of outdated F5 devices to compromise systems emphasises how crucial edge appliance security is in preventing persistent compromises by highly skilled adversaries. To protect against such ongoing cyber threats, strict security protocols and frequent updates are necessary.
