web analytics

State hackers turn to massive ORB proxy networks to evade detection – Source: www.bleepingcomputer.com

state-hackers-turn-to-massive-orb-proxy-networks-to-evade-detection-–-source:-wwwbleepingcomputer.com
Rate this post

Source: www.bleepingcomputer.com – Author: Ionut Ilascu

State hackers increasingly rely on massive ORB proxy networks to evade detection

Security researchers are warning that China-linked state-backed hackers are increasingly relying on a vast proxy server network created from virtual private servers and compromised online devices for cyberespionage operations.

Called operational relay box (ORBs) networks, these proxy meshes are administered by independent cybercriminals that provide access to multiple state-sponsored actors (APTs).

ORBs are similar to botnets but they may be a hybrid of commercially leased VPS services and compromised devices, including end-of-life routers and other IoT products.

The growing use of ORBs by adversaries comes with challenges in both detection and attribution as the attack infrastructure is no longer controlled by the threat actor, who can cycle through nodes distributed over a broad geography.

Malicious proxy networks

Cybersecurity firm Mandiant has been tracking multiple ORBs, two of them used by advanced threat actors known for espionage and intellectual theft operations linked to China.

One of them called ORB3/SPACEHOP is described as “a very active network leveraged by multiple China-nexus threat actors, including APT5 and APT15” for reconnaissance and vulnerability exploitation.

For instance, SPACEHOP was used in December 2022 to exploit CVE-2022-27518, a critical vulnerability in Citrix ADC and Gateway, which the National Security Agency (NSA) linked to APT5 (a.k.a. Manganese, Mulberry Typhoon, Bronze Fleetwood, Keyhole Panda, and UNC2630).

Mandiant researchers say that SPACEHOP is a provisioned network that uses a relay server hosted in Hong Kong or China by a cloud provider. It installs an open-source command and control (C2) framework that allows managing downstream nodes.

The relay nodes are typically cloned Linux-based images and their role is to proxy malicious traffic to an exit node that communicates with targeted victim environments.

Diagram of the ORB3/SPACEHOP network
ORB3/SPACEHOP network

source: Mandiant

By contrast, ORB2/FLORAHOX is a hybrid network that consists of an Adversary Controlled Operations Server (ACOS), compromised connected devices (routers and IoT), and VPS services that run the traffic through TOR and multiple hacked routers.

The researchers believe that this mesh is “used in cyber espionage campaigns by a diverse set of China-nexus threat actors” to obfuscate the traffic from the source.

The network appears to contain several subnetworks composed of compromised devices recruited by the router implant FLOWERWATER as well as other router-based payloads.

Diagram of the ORB2/FLORAHOX network
ORB2/FLORAHOX network

source: Mandiant

Although ORB2/FLORAHOX is used by multiple threat actors, Mandiant says that trusted third-party sources have reported clusters of activity attributed to China-linked adversaries APT31/Zirconium that focus on intellectual property theft.

“ORB2 represents a more complicated design including the relay of traffic through TOR nodes, provisioned VPS servers, and different types of compromised routers including CISCO, ASUS, and Draytek end-of-life devices” – Mandiant

Apart from FLOWERWATER, the researchers say that additional payloads and tools (MIPS router tunneler PETALTOWER, SHIMMERPICK bash scripts) are used to navigate the ORB2 network and pre-existing nodes based on command-line inputs.

Regardless of the type of devices used, an ORB network has a set of essential components that allow it to work properly:

  • Adversary Controlled Operations Server (ACOS) – server for administering nodes in an ORB network
  • Relay node – lets users authenticate to the network and relay traffic through the larger traversal pool on ORB nodes
  • Traversal nodes – the main nodes composing an ORB network, obfuscate the origin of the traffic
  • Exit/Staging nodes – used to launch attacks on targets
  • Victim server: victim infrastructure communicating with the node on the ORB network

Enterprise defense challenges

The use of ORBs has been observed in the past, the most prominent recent example being the Volt Typhoon attacks on US critical infrastructure organizations using SOHO network equipment (e.g. routers, firewalls, and VPN appliances).

Because of how malicious ORBs function, they provide stealth, resilience, and independence from the internet infrastructure in a country.

Multiple threat actors use these network infrastructures for limited periods, which impacts tracking them and attribution.

According to Mandiant, the lifespan of an IPv4 address of an ORB node can be as short as 31 days. This appears to be a feature of ORB network contractors in China, who can “cycle significant percentages of their compromised or leased infrastructure on a monthly basis.”

Defenders can miss malicious traffic from these networks because ORB administrators use Autonomous System Number (ASN) providers in various parts of the world.

Apart from making them more reliable, this also allows adversaries to target enterprises from devices in close geographic proximity, which raises less suspicions when analyzing traffic.

“One such example would be traffic from a residential ISP that is in the same geographic location as the target that is regularly used by employees and would be less likely to get picked up for manual review” – Mandiant

With attackers increasingly using ORBs, protecting enterprise environments becomes even more difficult since detection becomes more complex, attribution is more complicated, and indicators for adversary infrastructure are less useful for defenders.

Original Post URL: https://www.bleepingcomputer.com/news/security/state-hackers-turn-to-massive-orb-proxy-networks-to-evade-detection/

Category & Tags: Security – Security

Views: 0

LinkedIn
Twitter
Facebook
WhatsApp
Email

advisor pick´S post

Codrut Andrei
Cybersecurity Talent Crisis Today and Tomorrow by Codrut Andrei
Cybersecurity Talent Crisis Today and...
SCYTHE
Better Cybersecurity Metrics – SOC Metrics – Threat Hunting Metrics – Cyber Threat Intelligence (CTI) Metrics – Incident Response (IR) Metrics for CISOs by SCYTHE
Better Cybersecurity Metrics – SOC...
ACSC Australia
Personal Cyber Security First Steps by Australian Government – ACSC
Personal Cyber Security First Steps...
Joas Antonio
100 Security Operation Tools for SOCs by Joas Antonio
100 Security Operation Tools for...
Joas Antonio
Guide for Multi-Cloud Read Team AWS – GCP – AZURE by Joas Antonio
Guide for Multi-Cloud Read Team...
SANS
SANS Faculty Cybersecurity Free Tools – SANS Instructors have built more than 150 open source tools that support your work and help you implement better security.
SANS Faculty Cybersecurity Free Tools...
Marcos Jaimovich
The Silent Spectre Haunting Your Network: QPhishing, the CISO’s Unspoken Nightmare.
The Silent Spectre Haunting Your...
Marcos Jaimovich
Goodbye to Traditional: Why Conventional Cybersecurity Tools are No Longer Sufficient for the Future of Digital Threats ?
Goodbye to Traditional: Why Conventional...
Marcos Jaimovich
Why do we compare a SOC (Security Operations Center) with the cockpit of a commercial airplane? by Marcos Jaimovich
Why do we compare a...
Joas Antonio
Security Operations Center (SOC) – Tools for Operations Development by Joas Antonio
Security Operations Center (SOC) –...
IZZMIER
Incident Response Playbooks & Workflows Ready for use in your SOC & Redteams
Incident Response Playbooks & Workflows...
LOGPOINT
396 Use Cases & Siem Rules Code ready for use for Mitre Attacks Events Detection in Your SOC by Logpoint
396 Use Cases & Siem...

LASTEST PUBLISHED POSTS

Sectrio
The Global OT & IoT Threat Landscape Assessment and Analysis rEPORT 2024 by Sectrio Threat Research Lab Initiative.
The Global OT & IoT...
ISA SECURE
The Case for ISA/IEC 62443Security Level 2 as a Minimumfor COTS Components
The Case for ISA/IEC 62443Security...
Huntress
2024 Cyber Threat Report
2024 Cyber Threat Report
NACD - Intenet Security Alliance
2023 Director’s Handbook on Cyber-risk Oversight
2023 Director’s Handbook on Cyber-risk...
Devoteam
14 Cybersecurity Trends for 2024
14 Cybersecurity Trends for 2024
IGNITE Technologies
MEMORY FORENSICS VOLATILITY
MEMORY FORENSICS VOLATILITY
CAREER UP
7 Steps to your SOC Analyst Career
7 Steps to your SOC...
National Cyber Security Centrum
Managing Insider Threats
Managing Insider Threats
Marcos Jaimovich
The Silent Spectre Haunting Your Network: QPhishing, the CISO’s Unspoken Nightmare.
The Silent Spectre Haunting Your...
Marcos Jaimovich
Goodbye to Traditional: Why Conventional Cybersecurity Tools are No Longer Sufficient for the Future of Digital Threats ?
Goodbye to Traditional: Why Conventional...
National Security Agency
CSI Cloud Top10 Key Management
CSI Cloud Top10 Key Management
CSA Cloud Security Alliance
Defining the Zero TrustProtect Surface
Defining the Zero TrustProtect Surface

More Latest Published Posts

aws
AWS Security Incident Response Guide
AWS Security Incident Response Guide
Government of South Australian
South Australian Cyber Security Framework
South Australian Cyber Security Framework
NAO -National Audit Office
Audit and Risk Assurance Committee Effectiveness Tool
Audit and Risk Assurance Committee Effectiveness Tool
WWW. D E V S E COP S G U I D E S . CO M
Attacking Docker
Attacking Docker
W W W . D E V S E C O P S G U I D E S . C O M
Attacking AWS – Offensive Security Aproach
Attacking AWS – Offensive Security Aproach
ENISA
Artificial Intelligence and Cybersecurity Research 2023
Artificial Intelligence and Cybersecurity Research 2023
MuleSoft
API Security Best Practices – Protect your APIs with Anypoint Platform
API Security Best Practices – Protect your APIs with Anypoint Platform
Green Circle
All about Security Operations Center
All about Security Operations Center
DAZZ
A Guide to Building a Secure SDLC – Which Scanning Tools Should I look at, and where do they go?
A Guide to Building a Secure SDLC – Which Scanning Tools Should I look at, and where do they go?
zimperium
2023 Mobile Banking Heists Report
2023 Mobile Banking Heists Report
40 under 40
40 under 40 in CyberSecurity 2024
40 under 40 in CyberSecurity 2024
HADESS
40 Days in DeepDark Web About Crypto Scam
40 Days in DeepDark Web About Crypto Scam
Everbridge
8 Principles of Supply Chain Risk Management
8 Principles of Supply Chain Risk Management
CHAOSSEARCH
Threat Hunter’s Handbook – Using Log Analytics to Find and Neutralize Hidden Threats in Your Environment
Threat Hunter’s Handbook – Using Log Analytics to Find and Neutralize Hidden Threats in Your Environment
ENDGAME
The Hunters Handbook Endgame’s Guide to Adversary Hunting
The Hunters Handbook Endgame’s Guide to Adversary Hunting
THE EU’S MOST THREATENING by EUROPOL
THE EU’S MOST THREATENING by EUROPOL
National Cyber Security Centre
Responding to a cyber incident – a guide for CEOs
Responding to a cyber incident – a guide for CEOs
IGNITE Technologies
CREDENTIAL DUMPING
CREDENTIAL DUMPING
HADESS
Pwning the Domain Lateral Movement
Pwning the Domain Lateral Movement
Jorgen Lanesskog
PING Basic IP Network Troubleshooting
PING Basic IP Network Troubleshooting
TELESOFT
Layer 7 Visibility What are the Benefits?
Layer 7 Visibility What are the Benefits?
TIGERA
Introduction to Kubernetes Networking and Security
Introduction to Kubernetes Networking and Security
Department of Defense's (DoD)
Defense Industrial Base Cybersecurity Strategy 2024
Defense Industrial Base Cybersecurity Strategy 2024
Dummies
Zero Trust Access for Dummies Fortinet
Zero Trust Access for Dummies Fortinet
Homeland Security
Zero Trust Implementation Strategy
Zero Trust Implementation Strategy
National Australia Bank Limited
Your Business and Cyber Security
Your Business and Cyber Security
CYFIRMA
Xeno RAT- A New Remote Access Trojan
Xeno RAT- A New Remote Access Trojan
IGNITE Technologies
Windows Persistence COM Hijacking MITRE T1546 015
Windows Persistence COM Hijacking MITRE T1546 015