AhnLab and the National Cyber Security Center (NCSC) released a report on the 23rd analyzing collaborative cyber attack activities by the APT (Advanced Persistent Threat) organization "TA-ShadowCricket," which is believed to be linked to China.
"TA-ShadowCricket" is presumed to have started its activities in 2012, characterized by exploiting remote access (RDP) features of exposed Windows servers or connections to MS-SQL databases to infiltrate and maintain covert control over systems for extended periods. AhnLab and NCSC secured and analyzed the actual Command & Control (C&C) server operated by these hackers, confirming that over 2,000 systems worldwide were infected, of which 457 are located in South Korea.
Unlike typical hacking, this organization maintained control over infected systems for a long time without monetary demands or data leaks, implanting backdoor malware to ensure prolonged access. The backdoor was inserted into legitimate executable files, making detection difficult, and the infected systems were in a state that could be exploited for distributed denial of service (DDoS) attacks or further intrusions at any time.
To prevent damage, users must keep their Windows operating systems, MS-SQL servers, and RDP features up to date, set complex passwords, and implement basic security protocols such as multi-factor authentication (MFA).
Lee Myung-soo, Head of Team at AhnLab ASEC A-FIRST team, noted, "This attack group is a rare example that has quietly controlled thousands of systems for an extended period," adding, "Proactive responses, such as malware removal and disabling C&C servers, are crucial."