Winnti Group Targeting Universities In Hong Kong (Jan 31, 2020)
The Advanced Persistent Threat (APT) group, Winnti, has been identified targeting several unnamed Hong Kong-based universities, according to ESET researchers. The Winnti group has been active since 2012 being involved in well-known supply chain compromises targeting different software companies which include ASUS, CCleaner, and LiveUpdate. The backdoor shadowPad has been a well-known tool of the Winnti Group in its operations. ESET observed malicious files existing on computers owned by the universities with overlap in variants of the backdoor launcher ShadowPad which is commonly used by the Winnti Group.
Recommendation: Sophisticated threat groups like Winnti showcase the threat supply chain attacks can pose to any organization, therefore, it is paramount that all applications in use by an organisation be properly maintained and monitored for potential malicious activity. Defense-in-depth is the best way to ensure safety from APT groups like Winnti. Defense-in-Depth involves the layering of defence mechanisms. This can include network and end-point security, social engineering training (such as training exercises to help detect phishing emails) for staff and robust threat intelligence capabilities.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.