AI Security AI安全 2d ago Updated 2d ago 更新于 2天前 46

China-Linked APT Expands Arsenal With New ‘Leash’ Backdoors 中国关联APT组织利用新“Leash”后门扩充武器库

Cisco Talos has identified UAT-7810, a China-linked APT, expanding its Operational Relay Box (ORB) network with new malware families including LongLeash, DogLeash, and JarLeash. The actor primarily targets Ruckus wireless routers by exploiting known vulnerabilities across MIPS, ARM, and x64 architectures to establish persistent espionage infrastructure. LongLeash serves as an enhanced backdoor framework utilizing Nanopb and MbedTLS libraries, capable of acting as both a C&C client and an interme 中国关联APT组织UAT-7810正在升级其运营中继盒(ORB)网络,通过感染数千台SOHO路由器建立间谍基础设施。 研究人员发现了名为LongLeash的新型后门,以及DogLeash和JarLeash两种恶意软件家族,它们构成了复杂的命令与控制(C&C)体系。 UAT-7810主要利用Ruckus无线路由器的已知漏洞(如CVE-2020-22653等),并支持MIPS、ARM和x64等多种架构。 该组织不仅为自身提供基础设施,还向另一中国关联APT组织UAT-5918提供工具支持,显示出威胁情报共享或协作特征。 新后门具备中间服务器转发功能,并集成了Nanopb和MbedTLS库,同时开发

65
Hot 热度
70
Quality 质量
60
Impact 影响力

Analysis 深度分析

TL;DR

  • Cisco Talos has identified UAT-7810, a China-linked APT, expanding its Operational Relay Box (ORB) network with new malware families including LongLeash, DogLeash, and JarLeash.
  • The actor primarily targets Ruckus wireless routers by exploiting known vulnerabilities across MIPS, ARM, and x64 architectures to establish persistent espionage infrastructure.
  • LongLeash serves as an enhanced backdoor framework utilizing Nanopb and MbedTLS libraries, capable of acting as both a C&C client and an intermediate server for command forwarding.
  • The APT supports another group, UAT-5918, and employs diverse deployment methods, including Java containers for JarLeash and shell scripts with iptables rules for DogLeash.
  • The discovery of LeashTest indicates ongoing testing and potential instability of the LongLeash framework specifically on MIPS platforms, suggesting active refinement of their toolkit.

Why It Matters

This development highlights the increasing sophistication of state-sponsored actors in repurposing consumer-grade IoT devices into robust espionage infrastructure, bypassing traditional enterprise security perimeters. For security practitioners, it underscores the critical need to patch legacy vulnerabilities in networking equipment, particularly those affecting widely deployed routers like Ruckus. Furthermore, the inter-group collaboration between UAT-7810 and UAT-5918 suggests a coordinated ecosystem of threat actors sharing resources, necessitating broader threat intelligence sharing and monitoring for cross-APT indicators.

Technical Details

  • Malware Families: The update introduces LongLeash (an enhanced C&C/backdoor using Nanopb/MbedTLS), DogLeash (a C-based passive backdoor managed via shell scripts and iptables), and JarLeash (a Java-based backdoor deployed via container spawning scripts).
  • Target Infrastructure: The campaign focuses on infecting SOHO routers, specifically targeting Ruckus devices with exploits for CVE-2020-22653, CVE-2020-22658, and CVE-2023-25717.
  • Capabilities: LongLeash functions as an intermediate server, forwarding commands and data between peers. It supports web server hosting, tunnel management, and acts as both a client and server. JarLeash includes features for web-based file management, FTP/SFTP servers, and netcat servers.
  • Testing Artifacts: The presence of LeashTest, a non-malicious binary used to test functionality on MIPS platforms, serves as an Indicator of Compromise (IoC) and reveals the actor's focus on ensuring stability across different hardware architectures.
  • Infrastructure Sharing: UAT-7810 provides hosting infrastructure for UAT-5918, with overlapping tooling but distinct tracking classifications, indicating a shared operational backbone.

Industry Insight

  • IoT Security Hygiene: Organizations must prioritize the immediate patching of known vulnerabilities in network infrastructure, especially in edge environments where consumer or SOHO devices are often overlooked in enterprise security protocols.
  • Threat Hunting: Security teams should monitor for specific IoCs related to the Leash family, such as unusual iptables rule modifications, unexpected Java container spawns, or connections to known malicious VPS IPs associated with UAT-7810.
  • Collaborative Defense: Given the resource-sharing nature between UAT-7810 and UAT-5918, threat intelligence platforms should correlate activities across these groups to predict potential shifts in targeting or infrastructure usage, enhancing proactive defense strategies.

TL;DR

  • 中国关联APT组织UAT-7810正在升级其运营中继盒(ORB)网络,通过感染数千台SOHO路由器建立间谍基础设施。
  • 研究人员发现了名为LongLeash的新型后门,以及DogLeash和JarLeash两种恶意软件家族,它们构成了复杂的命令与控制(C&C)体系。
  • UAT-7810主要利用Ruckus无线路由器的已知漏洞(如CVE-2020-22653等),并支持MIPS、ARM和x64等多种架构。
  • 该组织不仅为自身提供基础设施,还向另一中国关联APT组织UAT-5918提供工具支持,显示出威胁情报共享或协作特征。
  • 新后门具备中间服务器转发功能,并集成了Nanopb和MbedTLS库,同时开发了LeashTest二进制文件以测试MIPS平台兼容性。

为什么值得看

这篇文章揭示了针对边缘网络设备(如家用/小型办公室路由器)的持续性间谍活动升级,强调了物联网设备作为高级持久威胁(APT)基础设施的重要性。对于安全从业者而言,了解这些特定后门的技术细节和传播机制有助于优化检测规则和加固策略,防范针对网络边界的渗透。

技术解析

  • LongLeash后门:基于ShortLeash代码库开发,集成Nanopb和MbedTLS开源库。具备双向通信能力,既可作为C&C客户端也可作为中间服务器,负责转发命令和数据,增强了网络的隐蔽性和韧性。
  • DogLeash后门:使用C语言编写,通过Shell脚本部署并配置iptables规则监听TCP端口。支持远程命令执行、文件读写、内存代码执行及操作系统信息获取,是一种被动式后门。
  • JarLeash后门:基于Java构建,通过脚本终止其他实例后启动Java容器进行部署。除了提供系统访问权限外,还能托管Web文件管理界面、FTP/SFTP服务器及Netcat服务,扩展了攻击者的数据窃取能力。
  • 目标与漏洞利用:主要瞄准Ruckus无线路由器,利用CVE-2020-22653、CVE-2020-22658和CVE-2023-25717等已知漏洞。攻击者维护多个VPS和服务器IP用于载荷分发,部分IP也关联到针对Asus AiCloud路由器的“Operation WrtHug”行动。
  • LeashTest二进制文件:非恶意的测试工具,专门用于在MIPS平台上验证后门功能。其存在表明攻击者对MIPS架构下的后门行为稳定性尚存疑虑,仍在积极调试和优化。

行业启示

  • 边缘设备安全至关重要:SOHO路由器因其普遍缺乏安全防护且数量庞大,已成为APT组织构建隐蔽通信网络的首选跳板。企业和个人应定期更新固件,禁用不必要的远程管理功能,并加强网络分段。
  • 供应链与开源组件风险:攻击者在恶意软件中集成Nanopb和MbedTLS等知名开源库,增加了检测难度。安全团队需关注包含这些库特征的异常流量或二进制文件,并加强对第三方组件的安全审计。
  • APT协作与基础设施共享:UAT-5918与UAT-7810之间的工具重叠和基础设施支持关系,反映了国家级黑客组织间可能存在资源共享或分工协作。防御方应建立跨组织的威胁情报共享机制,以更全面地识别和阻断此类协同攻击。

Disclaimer: The above content is generated by AI and is for reference only. 免责声明:以上内容由 AI 生成,仅供参考。

Security 安全