Adrian Johnson
TLDR:
- A Taiwanese research institute was breached by APT41 hackers with ties to China, using tools like ShadowPad and Cobalt Strike.
- Cisco Talos discovered the attack in August 2023, noting the use of PowerShell commands and web shells for initial access.
A Taiwanese government-affiliated research institute specializing in computing and associated technologies fell victim to a cyber attack by APT41 hackers linked to China. The breach, detected in August 2023 by security researchers at Cisco Talos, involved the use of ShadowPad and Cobalt Strike as backdoors and post-compromise tools. The attack utilized an outdated vulnerable version of Microsoft Office IME binary to launch a customized second-stage loader for deploying the payload. The hackers compromised three hosts in the targeted environment and exfiltrated some documents from the network.
The attackers leveraged PowerShell commands and web shells for access, with Cobalt Strike malware bypassing AV detection using an anti-AV loader. The threat actors also utilized Mimikatz to extract passwords and ran commands to gather information on user accounts and network configurations. A tailored loader was created to exploit a remote code execution vulnerability and achieve local privilege escalation.
The final payload, UnmarshalPwn, passed through three stages before being unleashed. The hackers aimed to evade detection by removing the web shell and guest account that provided initial access. This incident occurred amidst reports of Chinese state actors being behind cyber attacks on other countries for espionage purposes.
