Post views: 13

“Chinese hackers are trying to spy on Asian companies while exploiting a picnic tool. Let’s talk about it in detail!”

According to cybersecurity firm Huntress, an open source server monitoring application was used in a politically motivated effort to hack more than 100 systems in Taiwan, Japan, South Korea and Hong Kong. This underscores the increasing use of legitimate software in state cyber espionage.

According to cybersecurity firm Huntress, a cyber campaign with ties to China used a real-world, open-source surveillance app called Nezha to target more than 100 systems in East Asia. This finding highlights how shared management software can be used as a weapon for politically motivated espionage.

A vulnerable web application was the source of the hack

In early August, while investigating a vulnerable online application, Huntress investigators first discovered the campaign. Before using Nizha, a task management and server monitoring tool, attackers first gained access via a web shell.

Huntress also points out that while Nezha has valid IT uses, this is a new type of misuse, where the software is being used to carry out remote operations and spread malware after cyber attacks.

“Picnic works as a remote control.”

According to the investigation, Nezha was frequently used in conjunction with web and malware management tools, such as Ghost RAT and AntSword, which have been linked to advanced persistent threat (APT) organizations with ties to China.

Jay Minton, Principal Security Operations Analyst, Huntress

Evidence points to Chinese involvement

One early indication of the attackers’ origin, according to investigators, is that they switched the language of the administrative interface to Simplified Chinese after gaining access.

Although Huntress failed to properly tailor the campaign to a specific group, Minton noted similarities to previous reports on Chinese APT operations:

“The Ghost RAT sample is similar to the one used in attacks against the Tibetan community by the APT group with ties to China.“

Politically sensitive targets

The majority of victims were found in South Korea, Japan and Taiwan, countries involved in maritime and territorial disputes with China in the East China Sea.

Jay Minton, Principal Security Operations Analyst, Huntress

Over 100 victims and counting

More than 100 systems were affected, according to the report, and some organizations were able to limit exposure to a few hours by acting quickly.

However, Huntress cautioned that one should not underestimate the skill and perseverance of attackers:

“A threat actor with China is demonstrated by its ability to quickly compromise systems and maintain long-term access using under-reported technology.“

conclusion

This campaign highlights the growing trend of using legitimate open source software as a weapon for espionage purposes. Huntress urged organizations to strengthen monitoring of server management tools, web applications, and remote access systems, stressing that even widely used software like Nuzhat can be repurposed into complex electronic operations.

About the author

Suraj Kohli Content specialist in technical writing about cybersecurity and information security. He has written many great articles related to cyber security concepts, with the latest trends in cyber awareness and ethical hacking. Find out more about “He”.

Read more:

Introducing ‘Nirorat’: a Python-based Trojan that evades detection via advanced self-modification

About the author