FBI Warns US Firms About Malware in Chinese Tax SoftwareAlert Follows Trustwave Reports on Hidden Backdoors
In a private industry alert. the FBI warns U.S. firms of possible malware hidden in tax software the Chinese government requires companies doing business in the nation to use.
The warning follows two reports issued by security firm Trustwave that describe malware designed to provide backdoor access to corporate networks, gain administrative privileges and deliver additional payloads. This malicious code was hidden within software that the Chinese government requires all companies that are registered to conduct business in the nation - including foreign-owned firms - to use in order to pay value-added taxes (see: Malware Hidden in Chinese Tax Software).
The FBI alert does not blame the Chinese government directly for planting the malware in the tax software, but the bureau does note that hacking groups have tried to target specific companies, including U.S. firms, operating in China for the last several years.
"Although all companies conducting business in China may be vulnerable to such activity, the U.S. healthcare and chemical sectors have been a common target of Chinese cyber operations for many years," according to the alert published Thursday. "Pharmaceutical companies form a critical interdependency between the manufacturing components of the chemical sector and the supply chain of the Healthcare and Public Health Sector."
The FBI alert notes that as of March 2019, at least two "Western companies" operating in China detected malware that was delivered through Chinese vendors that were responsible for releasing tax software upgrades following changes in 2018 to China's value-added tax laws.
Only two companies, Aisino Corp. and Baiwang Co., distribute the official value-added tax invoicing software in China, according to the FBI and the Trustwave reports.
GoldenSpy and GoldenHelper
In June and July, Trustwave SpiderLabs researchers issued two reports about backdoors that they identified in official tax software issued by the Chinese government.
The first report identified a backdoor the researchers called GoldenSpy, which was found in Intelligent Tax software that China's state-run banks require companies to use to help pay local taxes. This malware appears to have still been active as of April, according to the report.
A second Trustwave report identified a separate backdoor called GoldenHelper, which was hidden in the Golden Tax Invoicing software required by the Chinese government. This malware appears to have been active between January 2018 and July 2019. The command-and-control server associated with the malware expired in January, researchers say.
Although the GoldenHelper and GoldenSpy malware variants have their own features, the Trustwave researchers found that the backdoors used similar delivery methods.
The FBI alert notes that in 2018, an unnamed U.S. pharmaceutical company that has some operations in China downloaded tax software distributed by Baiwang. A year later, the company's security team noted an update to the software.
"Since at least March 2019, Baiwang released software updates which installed a driver automatically along with the main tax program," according to the FBI. "In April 2019, employees of the pharmaceutical company discovered that the software contained malware that created a backdoor on the company's network."
Trustwave noted that since the release of the two reports, other companies have approached the security firm with similar concerns about the tax software required by China's government.
"Since we've worked with the FBI, we have been approached by dozens of organizations who were impacted by GoldenSpy and GoldenHelper," Brian Hussey, vice president of threat detection and response at Trustwave, tells Information Security Media Group. "As time goes on, the list of companies that have been victimized grows exponentially, as verified by the FBI's publication of their recent FLASH alert. This story has clearly grown from a fascinating look into a novel malware campaign, to a significant threat to national security."
In the alert, the FBI recommends that U.S. companies operating in China follow some basic security procedures to prevent intrusions when using the tax software, including:
- Patch all systems for critical vulnerabilities, including prioritizing patching of internet-connected servers with known vulnerabilities. U.S. firms should also apply patches to software such as web browsers, browser plugins and document readers.
- Scan and monitor web applications for unauthorized access, modification and anomalous activities.
- Implement multifactor authenticationm particularly for webmail and VPN access and for accounts that could access critical systems.
- Segment critical data within "air-gapped" systems and use strict access control measures for this critical data.
Managing Editor Scott Ferguson contributed to this report.