Who is Chimera?
The Chimera threat group’s activities were first discovered in 2020 by CyCraft, a cybersecurity startup. CyCraft discovered the threat group when the group conducted a series of coordinated attacks against multiple Taiwanese companies active in the superconductor industry. Their main aim was to steal intellectual property. Chimera is believed to be a Chinese APT (Advanced Persistent Threat) group operating in the interest of the Chinese state. The group abuses Microsoft and Google cloud services with the aim of exfiltrating information from a broad range of target organizations. It has been reported that the group managed to remain undetected in victims’ networks for up to 3 years. They remain within victims’ networks to check for new data of interest and user accounts.
Attacks on Cloud Services Increase
The APT group has joined the ranks of other cybercriminal groups targeting and abusing cloud services. According to the 2020 Trustwave Global Security Report, the number of attacks on cloud services more than doubled in 2019 and accounted for 20% of investigated incidents. Cloud environments are now the third most targeted environment behind corporate and internal networks. The latter two remain the most targeted domains, representing 54% of incidents. Consequently, it is important for organizations to ensure their systems are clear of malware infections and that systems have had the latest patches applied. Organizations also need to ensure they don’t use outdated security certificates, expose ports, misconfigure SSL and use bad web application headers. All these provide cybercriminals with doors into organizations networks from which to conduct cyberattacks.
Broad Target List
The NCC Group, an information assurance firm headquartered in the United Kingdom, and its Fox-IT subsidiary have been tracking Chimera. They discovered that the group’s target list is broader than initially thought. Chimera has recently also targeted the airline industry with the aim of exfiltrating the Passenger Name Records (PNR) they hold. The group collected PRN data from individuals of interest to then conduct credential-stuffing and password‑spraying attacks against target organizations.
Credential-stuffing is a type of brute-force attack. It relies on automated tools to test large numbers of stolen login credentials across multiple sites until one works. The success of this method depends on the fact that users often reuse the same password for multiple accounts. Password‑spraying is also a type of brute-force attack. However, in this instance hackers test a small number of commonly used passwords on many accounts within an organization. This method assumes that within a large group of people, there’s at least one person using a common password.
Such Chimera attacks have targeted semiconductor and airline companies in different geographical areas, not just Asia.
Chimera’s Attack Method
The joint report published by NCC and Fox-IT also describes Chimera’s typical attack method. According to the report, first Chimera collects user login credentials that have been leaked or sold on the dark web. This data is then used for credential-stuffing and password-spraying attacks against individuals’ remote services. For example, webmail or other online mail services. Once an account has been compromised, the group uses it to access the victim’s VPN, Citrix or other remote services with network access. Next Chimera usually deploys Cobalt Strike beacon. This is a penetration-testing framework normally used by cybersecurity firms to test a network’s resilience against an advanced attack. The group load Cobalt Strike into memory and use it for remote access and Command and Control (C2). Cobalt Strike can also be used to move laterally within an organization’s systems. NCC and Fox-IT found that Chimera would search victims’ networks until they found a way to traverse across segmented networks to reach other systems of interest. Once the group found the data they were after, they regularly uploaded this data to accounts on public cloud services like OneDrive, Dropbox and Google Drive. They used cloud services because organizations don’t normally inspect or block traffic to these services from within their networks. The group would then retrieve the exfiltrated data from their cloud services account for use.
