Threat Research

How attackers got access to the systems of the National Games of China

Avast Threat Labs 4 Feb 2022

The Winter Olympics are here — so are related digital vulnerabilities

Today, the Winter Olympics will kick off in Beijing. China has recently had its own, national sporting event: On September 15, 2021, the National Games of China began in the Chinese city of Shaanxi. This is an event similar to the Olympics, but it solely hosts athletes from China.

In early September, Avast threat researcher David Álvarez found a malware sample with a suspicious file extension and decided to investigate where it came from. Following that, he also found a report submitted by the National Games IT team to VirusTotal on an attack against a server associated with the Games. The Avast Threat Labs has recently published their own research on the incident based on publicly accessible information about it. 

The report contained access logs from the web-server and SQL database, which provided our threat researchers with partial information about the attack. The researchers were able to correlate this report with malware samples they discovered. 

The analysis shows attackers were able to gain access to a system hosting content for the National Games by exploiting a vulnerability in the web server. From there, they were able to load webshells, reconfigure servers and load tools, including a network scanner and a one-click exploitation framework.

Based on the report and our researchers’ own findings, it appears that the breach was successfully resolved prior to the start of the Games. Our team’s researchers were unable to detail what actions the attackers may have taken against the broader network and couldn’t make any conclusive attribution of the attackers, though they have reason to believe they are either native Chinese language speakers or show high fluency in Chinese.

Security advice for organizations and businesses

The procedure followed by the attackers hacking the 14th National Games of China isn’t new. They gained access to the system by exploiting a vulnerability in the web server. This shows the need for updating software, configuring it properly, and being aware of possible new vulnerabilities in applications by using vulnerability scanners.

The most fundamental security countermeasure for defenders consists in keeping the infrastructure up to date in terms of patching (especially for the internet-facing infrastructure).

Prevention should be the first priority for both internal and internet-facing infrastructure.

To protect against this kind of attack, it’s important to deploy more layers of protection (such as SELinux and Endpoint Detection and Response solutions) so that you can detect and quickly act when a successful intrusion happens

After gaining access, the attackers tried to move through the network using exploits and brute forcing services in an automated way. Since getting to this point is very possible for attackers, defenders must be prepared. Real-time monitoring of computer systems and networks is the right way to do that.

Want to know more? You’ll find the complete details on our Decoded blog.