Dear Visitor,

Our system has found that you are using an ad-blocking browser add-on.

We just wanted to let you know that our site content is, of course, available to you absolutely free of charge.

Our ads are the only way we have to be able to bring you the latest high-quality content, which is written by professional journalists, with the help of editors, graphic designers, and our site production and I.T. staff, as well as many other talented people who work around the clock for this site.

So, we ask you to add this site to your Ad Blocker’s "white list" or to simply disable your Ad Blocker while visiting this site.

Continue on this site freely
You are here: Home / Computing / Chinese Hackers Attack via Dropbox
Chinese Hackers Used Dropbox To Attack Hong Kong Media
Chinese Hackers Used Dropbox To Attack Hong Kong Media
By Jennifer LeClaire / CRM Daily Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus
Hackers in China launched a spear phishing campaign in August that targeted media outfits in Hong Kong, according to security research firm FireEye. The hackers used e-mail messages carrying malicious files with a malware payload called Lowball.

Lowball effectively abuses Dropbox’s cloud storage service for command and control (CnC) purposes, meaning it can take command and control over the victim’s PC. FireEye worked with Dropbox to investigate the incident, revealing what appeared to be a second operation that functions in much the same way.

Ultimately, FireEye said this attack was part of a trend of malicious groups hiding their deeds by connecting to legitimate Web services, including cloud storage and social networking sites.

Dialing Into Dropbox

Here’s the backstory: Hackers sent spear phishing e-mails to several Hong Kong-based newspaper, radio and television stations in August. The first e-mail contained a message about creating a Christian civil society group in conjunction with the anniversary of the 2014 “Umbrella Movement” protests, a series of mass sit-in street protests that occurred in Hong Kong from September 26 to December 15, 2014. The protests were against proposed reforms to the Hong Kong electoral system

The second e-mail the hackers sent contained a message about a Hong Kong University alumni group concerned about a referendum vote to appoint a pro-Beijing vice chancellor.

“This backdoor, known as Lowball, uses the legitimate Dropbox cloud-storage service to act as the CnC server,” FireEye wrote in a blog. “It uses the Dropbox API with a hardcoded bearer access token and has the ability to download, upload, and execute files. The communication occurs via HTTPS over port 443.”

Ultimately, the hacker group checks on its Dropbox account to see if there are any responses from victims' machines. When the Lowball malware calls back to the Dropbox account, the attackers create a file that carries commands that can be executed on a hacked computer. Next, the malware is executed on the machine and gives hackers information about the computer’s network so the hackers can download more software onto the machine.

Not Targeting Dropbox

We turned to Craig Young, a cybersecurity researcher for advanced threat detection firm Tripwire, to get his take on the malware. He told us this is not a threat toward Dropbox users, but the attackers are relying on Dropbox to help stay under the radar.

“Many security departments would recognize command and control traffic because the communication is to unexpected places on the Internet but since Dropbox is so prevalent and communication is encrypted, it is impossible to distinguish the sessions from real Dropbox usage,” Young said.

The concept behind this attack is not new, Young said. In fact, Tripwire is aware of various other malware campaigns leveraging cloud services including one that uses the attacker's Gmail account as a private channel for controlling infected systems, he added.

“Proper vulnerability management and endpoint security controls along with user education on phishing are the best techniques to protect against this campaign,” Young said. “The fact that the attackers are successfully using a vulnerability from 2012 is a testament to the fact that the victims are not using up-to-date software.”

Tell Us What You Think


Like Us on FacebookFollow Us on Twitter
© Copyright 2018 NewsFactor Network. All rights reserved. Member of Accuserve Ad Network.