Stealthy industrial-scale data exfiltration attacks have been launched by Chinese cyberespionage operation ToddyCat against government entities, including defense organizations, across the Asia-Pacific through its arsenal of advanced hacking tools, according to The Hacker News.
Aside from leveraging OpenSSH to create a reverse SSH tunnel, ToddyCat has also been using the Ngrok and Krong agents for command-and-control traffic encryption, and a renamed version of the SoftEther VPN, a report from Kaspersky showed. ToddyCat's intrusions also involved the open-source FRP client, WAExp .NET program, Cuthead .NET compiled executable, and browser cookie- and credential-exfiltrating TomBerBil payload, researchers noted.
"To collect large volumes of data from many hosts, attackers need to automate the data harvesting process as much as possible, and provide several alternative means to continuously access and monitor systems they attack," said researchers, which urged organizations to bolster their network defenses by including traffic tunneling-providing cloud services' IP addresses and resources to the firewall denylist, as well as ensuring the absence of browser-stored credentials.