Last month, SecureWorld News covered the curious case of two companies with Chinese operations, local taxes, and a secret digital backdoor.
"A Chinese bank forced two organizations, a UK-based technology and software vendor and a major financial institution, to download a software package in order to pay local taxes.
But the bank left out a critical detail about the software: it included malware."
Trustwave called the backdoor GoldenSpy, issuing a warning about the threat.
The companies received an uninstaller for the backdoor. But a few weeks later, Trustwave discovered another backdoor, this time named GoldenHelper.
Now, the U.S. Federal Bureau of Investigations is jumping on the concerns surrounding this Chinese malware whack-a-mole.
FBI issues new warning against Chinese tax software
In a recent FBI Flash alert, the FBI released a warning against secret backdoors in Chinese tax software.
The caution is particularly important if your company has offices in China and operates in one of these three industries:
The FBI identifies these groups are particularly at-risk, given China's previous tendencies toward the chemical and finance sectors paired with recent concerns about China's role in COVID-19 data theft.
According to the alert, this threat is believed to have existed since 2016, with several encounters since the June 2020 incident:
"In July 2018, an employee of a US pharmaceutical company with business interests in China downloaded the Baiwang Tax Control Invoicing software program from baiwang.com.
Since at least March 2019, Baiwang released software updates which installed a driver automatically along with the main tax program. In April 2019, employees of the pharmaceutical company discovered that the software contained malware that created a backdoor on the company's network."
The FBI offers these mitigation strategies for at-risk companies:
- Patch all systems for critical vulnerabilities, prioritizing timely patching of Internet-connected servers for known vulnerabilities and software processing Internet data, such as web browsers, browser plugins, and document readers.
- Actively scan and monitor web applications for unauthorized access, modification, and anomalous activities.
- Strengthen credential requirements and implement multi-factor authentication to protect individual accounts, particularly for webmail and VPN access and for accounts that access critical systems. Change passwords and do not reuse passwords for multiple accounts.
- Recommend developing a network baseline to allow for the identification of anomalous account activity. Identify and suspend access of users exhibiting unusual activity.
- Network device management interfaces, such as Telnet, SSH, Winbox, and HTTP, should be turned off for WAN interfaces and secured with strong passwords and encryption when enabled.
- Identify and suspend access of users exhibiting unusual activity.
- When possible, segment critical information on air-gapped systems. Use strict access control measures for critical data.
- Be mindful of new and existing cyber infrastructure for work and bioscience collaborations.
Geopolitics and cybersecurity
For more on nation-state threat actors, including geopolitics and cybersecurity, listen to our podcast episode with CNN military analyst and retired Air Force Colonel, Cedric Leighton: