Cyber Security Threat Summary:
Security researchers have revealed evidence of a newly discovered APT group that primarily targeted Taiwanese organizations during a cyber-espionage campaign spanning at least four months. Known as "Grayling" according to Symantec, this group initiated their operations in February 2023 and persisted until at least May 2023. Their focus was on pilfering sensitive data from various sectors, including manufacturing, IT, and biomedical companies in Taiwan, as well as victims in the United States, Vietnam, and the Pacific Islands. The group employed DLL sideloading by utilizing the exported API "SbieDll_Hook" to load tools like the Cobalt Strike Stager, which subsequently led to the widely-used post-exploitation tool known as Cobalt Strike Beacon. Additionally, they installed "Havoc," an open-source post-exploitation command-and-control (C2) framework, similar in function to Cobalt Strike. Grayling's tactics involved the use of the publicly available spyware tool NetSpy, the exploitation of a legacy Windows elevation of privileges vulnerability known as CVE-2019-0803, and the downloading and execution of shellcode, as detailed in the report.
Security Officer Comments:
The absence of data exfiltration from victim machines doesn't rule out the likelihood of intelligence gathering, according to the security vendor. Grayling, like many APT groups today, blends custom and publicly available tools to operate stealthily. Havoc and Cobalt Strike are favored for their extensive post-exploitation capabilities, often chosen over developing custom tools. This use of public tools complicates attribution for investigators. Grayling's actions, such as process termination, emphasize their commitment to staying hidden. While the vendor didn't explicitly attribute Grayling to a nation-state, their targets align with China's geopolitical interests.