Menu
'Hurricane Panda' hackers used Microsoft zero-day, CrowdStrike says

'Hurricane Panda' hackers used Microsoft zero-day, CrowdStrike says

The group, which targets technology infrastructure companies, is believed to be linked to China's government

One of the zero-day flaws patched by Microsoft on Tuesday had been used for some time by a group with suspected Chinese government ties that targets technology companies, CrowdStrike's chief executive said.

CEO Dmitri Alperovitch said his CrowdStrike has been battling with the group, which the company dubbed "Hurricane Panda," on a daily basis since earlier this year.

"They've been very persistent actors," Alperovitch said in a phone interview Tuesday. "We believe with confidence they're indeed tied to the Chinese government in their objectives."

Hurricane Panda has targeted technology infrastructure companies, Alperovitch said. He said he could not identify the companies, which use CrowdStrike's services.

CrowdStrike analysts often see attacks in action and work to boot the hackers from networks. It results in a fast-playing offense and defense, which Alperovitch said can lead to mistakes by the hackers seeking to keep their foothold.

"We are able to literally record every command they try and understand immediately what they're doing," he said.

For example, the analysts will often see hackers mistype commands, such as "hsotname" instead of "hostname" and "romote" for "remote," as they hastily try to maintain their access.

Hurricane Panda is noteworthy for using tightly written exploit code, "win64.exe," that allowed the group to move through network systems once a computer had been hacked. That tool would be uploaded using a webshell nicknamed "ChinaChopper" that the attackers had placed on a company's servers, Alperovitch said.

Win64.exe, which runs on 64-bit Windows systems, takes advantage of a privilege escalation vulnerability, which can allow attackers to gain administrative rights to other programs from the account of a user who doesn't have those permissions.

Microsoft patched the vulnerability, CVE-2014-4113, on Tuesday, but Hurricane Panda had been using it for a while. CrowdStrike notified Microsoft of the flaw when it discovered the attackers were using it, Alperovitch said.

If successfully exploited, the flaw allows arbitrary code to be run in kernel mode, allowing an attacker to install programs, view or change data or create new accounts with full administrator rights, according to a blog post from Symantec on Tuesday.

Privilege escalation flaws aren't rare, but it is uncommon to see one used for so long by a group, which indicates that the attackers have "knowledge about non-public exploitable security bugs, which usually means the exploit was either bought from a supplier or developed in-house," Alperovitch wrote in a post on the company's blog.

Win64.exe contained an interesting embedded string of characters, "woqunimalegebi," which translates to a Chinese swear word, Alperovitch said. The word is often misspelled in Chinese to avoid being blocked by the country's filtering equipment, and that intentional error changes the meaning of the vulgarity to "fertile grass mud horse in the Mahler Gobi Desert," according to CrowdStrike.

Alperovitch said it's hard to say why programmers insert such messages, but "perhaps they were trying to send a message to anyone that is reverse engineering the code."

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags CrowdStrikeMicrosoftsecurityExploits / vulnerabilitiesmalware

Slideshows

Top 50 defining moments of the New Zealand channel in 2016

Top 50 defining moments of the New Zealand channel in 2016

Reseller News looks back on a tumultuous 12 months for the New Zealand channel, assessing the fallout from a year of sizeable industry change. Whether it be local or global mergers and acquisitions, distribution deals or job changes, the channel that started the year differs somewhat to the one set to finish it - Reseller News assesses the key moments that made 2016.​

Top 50 defining moments of the New Zealand channel in 2016
​Hewlett Packard Enterprise honours high achieving NZ channel

​Hewlett Packard Enterprise honours high achieving NZ channel

Hewlett Packard Enterprise honoured its top performing Kiwi partners at the second running of its HPE Partner Awards in New Zealand, held at a glitzy ceremony in Auckland. Recognising excellence across eight categories - from distributors to resellers - the tech giant celebrated its first year as a standalone company, following its official split from HP in 2015.

​Hewlett Packard Enterprise honours high achieving NZ channel
Nutanix treats channel partners to Christmas cruise

Nutanix treats channel partners to Christmas cruise

Nutanix recently took to the seas for a Christmas Cruise around Sydney Harbour with its Australia and New Zealand staff, customers and partners to celebrate a stellar year for the vendor. With the sun out, they were all smiles and mingled over drinks and food.

Nutanix treats channel partners to Christmas cruise
Show Comments