Home
Threat Intelligence Posts
Phishing

Advisory on Increased Traffic from Chinese Hackers

Chinese hacker groups and APT groups adhere to phishing, spear-phishing attack vectors against Indian companies, to carry out large volumes of scanning.
Updated on
April 19, 2023
Published on
June 29, 2020
Read MINUTES
5
Subscribe to the latest industry news, threats and resources.
It has been corroborated that there is a large volume of scanning being carried out by Chinese hacker groups, likely acting at the behest of Chinese APT groups in tandem with entities of the Lazarus Group.  

Targets

Specific companies are likely being targeted due to the following reasons:
  • They are currently using hardware or software with known vulnerabilities which can be exploited.
  • They are using Chinese equipment/ components which have backdoors, or hacker groups/ APTs have been able to maintain persistence on them.
  • These companies represent an Indian identity. 
 

Attack Vectors

DDOS attacks are less likely due to DDOS scrubbers integrated at ISPs. So, Phishing or Spear Phishing seems to be a more probable attack vector.  

Preventive Measures

In light of the above, companies are advised to:
  • Carry out fresh Vulnerability Assessment/Penetration Testing (VA/PT) of their infrastructure.
  • Negate vulnerabilities/ backdoors present in their infrastructure. CISOs are advised to carry out an audit of equipment/ components used against known vulnerabilities and patch/ find remediation.
  • Monitor network traffic for flags such as unknown IPs, increased traffic, unauthorized access etc. 
  • Use updated anti-virus and ensure your current vendor has coverage for these hashes.
  • Check the IP category in their Firewall for blocking the suspicious IPs (Complete list).
  • Check the Domains category in Proxy, to ensure the suspicious domains (Complete list) are categorized as malicious.
  • Search for existing signs of the IOCs (Complete list) in their environment and email systems.
  • Perform China Geo-based blocking if there is no business with China.
  • Monitor the emails that are received from IDs similar to: "[email protected]*
  • Facilitate immediate education/ re-education for all staff to protect against phishing/ spear-phishing attacks. 
  • Warn employees against:
    • Opening or clicking on attachments in unsolicited emails, SMS or messages through Social Media. 
    • Opening attachments, even if the sender appears to be known
    • Unfamiliar e-mail addresses and emails and websites that contain spelling and grammatical errors. 
    • Submitting personal financial details on unfamiliar or unknown websites / links. 
    • E-mails or links providing special offers like COVID-19 testing, financial aid, prizes, rewards, cashback offers, etc. 
    • Providing login credentials or clicking a link without checking the integrity of URLs. 
  • Instruct employees to use:
    • Safe Browsing tools
    • Filtering tools (antivirus and content-based filtering) in antivirus, firewall, and filtering services. 
    • Update spam filters with latest spam mail contents. 
    • Leverage Pretty Good Privacy in mail communications. 
    • Encrypt/ protect sensitive documents stored in the internet facing machines to avoid potential leakage. 
  • Immediately report any unusual activity or attack to [email protected], along with the relevant logs and email headers, for the analysis of the attacks, and take further appropriate actions. 
 

Indicator of Compromise (IoC) to be on the lookout for

IP Addresses

The following IP ranges have been suspected of targeting Indian infrastructure and need to be blocked on respective firewalls. In case the IP range is in use or likely to cause business disruption, constant Network Traffic Analysis (NTA) should be carried out to detect, flag, and obviate suspicious activity.
49.85.84.0/24 61.111.20.129/32 62.217.245.69/32
109.166.202.229/32 172.217.37.3/32 177.8.217.2/32
18.231.105.181/32 183.192.201.12/32 187.93.134.179/32
191.5.217.90/32 200.7.120.241/32 61.220.8.0/22
162.158.0.0/16 162.158.128.0/17 172.0.0.0/8
180.122.83.0/24 47.110.46.0/24 61.191.84.0/24
139.219.10.0/24 103.45.251.0/24 123.207.98.0/24
222.133.169.0/24 222.133.164.0/24 117.158.65.0/24
60.31.213.0/24 117.65.81.0/24 114.233.8.0/24
183.196.97.0/24 47.240.73.77 114.67.110.37
 

Hashes

Hash
Algorithm
File Type
db89750a7fab01f50b1eefaf83a00060 MD-5 DOC
bd665cd2c7468002f863558dbe110467 MD-5 N/A
d8aa162bc3e178558c8829df189bff88 MD-5 N/A
9c2ee383d235a702c5ad70b1444efb4d MD-5 EXE
6208516f759accb98f967ff1369c2f72 MD-5 N/A
9632bec3bf5caa71d091f08d6701d5d8 MD-5 N/A
a7662d43bb06f31d2152c4f0af039b6e MD-5 N/A
5cd9b0858b48d87b9622da8170ce8e5d MD-5 DOCX
 

E-mail IDs

E-mail ID
IP Addresses
[email protected] 47.240.73.77
114.67.110.37
 

Domains

userimage8.360doc[.]com
image91.360doc[.]com
welcome.toutiao[.]com
CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.
Recent Posts
Critical CSRF Vulnerability in IBM CICS TX - CVE-2023-42027 Demands Immediate Action
November 15, 2023
CVE-2023-43792 baserCMS is a website development framework vulnerable to Code Injection attacks
November 6, 2023

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations
Get started
Learn more