A feature within the IPv6 network protocol has been abused for years by a Chinese hacker group called “TheWizards.” ESET has uncovered their methods.
The group targets potential victims in various Southeast Asian countries, the United Arab Emirates, and China itself. ESET calls the cyber attackers’ tool “Spellbinder.”
SLACC attack
The tool enables TheWizards to exploit the Stateless Address Autoconfiguration (SLAAC) feature. SLAAC allows devices to define their IP address and gateway without relying on a DHCP server. However, this flexibility is also dangerous, as Router Advertisement (RA) messages can come from untrustworthy sources. This redirects internet traffic to a malicious IPv6 gateway.
Spellbinder enters organizations’ IT environments via an archive that appears legitimate. Once Spellbinder is in the system memory, it scans for domains of legitimate Chinese software updates. However, instead of a regular update, a malicious variant is downloaded, after which a backdoor called “WizardNet” ends up on the victim’s device.
From that moment on, attackers can search for lateral movements for data theft or the deployment of other malware.
Need IPv6?
Those who do not need IPv6 for their own IT environment can prevent attacks like this by relying solely on IPv4 traffic. Those who do need this protocol are advised by ESET to keep an eye on it.
It is striking that this Chinese hacker group has managed to keep this Adversary-in-the-Middle (AitM) attack out of the spotlight of security researchers for so long. Now that this threat is known, organizations that may be affected will need to act on this new information.
Read also: MITRE hack went unnoticed through the use of rogue virtual machines