Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

FBI Issues Alert on Use of Chinese Tax Software

The Federal Bureau of Investigation has issued an alert to inform organizations in the United States of the risk associated with the use of Chinese tax software.

The Federal Bureau of Investigation has issued an alert to inform organizations in the United States of the risk associated with the use of Chinese tax software.

In late June, security researchers at Trustwave published a report on a piece of malware that was dropped into the environment of an organization doing businesses in China through tax software that is mandatory in the country.

The threat, which Trustwave named GoldenSpy, was delivered to an organization via software from the Golden Tax Department of Aisino Corporation, and it appears to have been in use since 2016. Once installed, it provides SYSTEM-level backdoor access to the network.

Within days after the initial report was published, an uninstaller was delivered to compromised organizations through the update service of the tax software, and all traces of GoldenSpy were erased.

Weeks later, Trustwave published information on another piece of malware deployed through mandatory tax software onto the networks of organizations doing business in China. Referred to as GoldenHelper and dated prior to GoldenSpy, this malware family was dropped by software from Baiwang.

Last week, the FBI issued an alert to warn healthcare, chemical, and finance organizations in the United States of “potential targeting activity by the Chinese government against their business and operational components based in China.”

The alert points out that tax software provided by Chinese banks to at least two Western organizations doing business in the country would install a backdoor supposedly allowing “cyber actors to preposition to conduct remote code execution and exfiltration activities on the victim’s network.”

The FBI notes that all foreign companies in China might be at risk, and that the US healthcare and chemical industries have long been targeted by Chinese cyber spies.

Advertisement. Scroll to continue reading.

“Pharmaceutical companies form a critical interdependency between the manufacturing components of the chemical sector and the supply chain of the Healthcare and Public Health Sector. Compromise of the pharmaceutical supply chain provides malicious actors opportunities for theft of US intellectual property, while public disclosure can cause cascading effects including loss of public trust in both chemical and healthcare institutions,” the alert reads.

The FBI underlines that the use of software from Baiwang and Aisino, the only tax software service providers authorized to operate the value added tax (VAT) system in China, represents a risk to US organizations, especially in the light of Trustwave’s discoveries.

The alert also contains indicators of compromise (IoC) and recommendations on how organizations can mitigate such intrusions. The FBI plans on publishing a more detailed technical analysis at a later date.

Related: Researchers Find More Malware Delivered via Chinese Tax Software

Related: ‘GoldenSpy’ Malware Hidden In Chinese Tax Software

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.