Massive Chinese state-funded hack hits companies around the world, report says | GeekComparison

A motherboard has been photoshopped with a Chinese flag.
Enlarge / Computer chip with Chinese flag, 3D conceptual illustration.

Researchers have uncovered a massive hacking campaign that uses advanced tools and techniques to compromise the networks of companies around the world.

The hackers, most likely from a well-known group funded by the Chinese government, are equipped with both off-the-shelf and custom tools. One of those tools takes advantage of Zerologon, the name given to a Windows server vulnerability, patched in August, that can immediately give attackers administrative privileges on vulnerable systems.

Symantec is using the codename Cicada for the group, which is widely believed to be funded by the Chinese government and also go by the nicknames APT10, Stone Panda, and Cloud Hopper from other research organizations. The group, which has no relationship or affiliation with any company going by the Cicada name, has been engaged in spy-style hacking since 2009, targeting companies associated with Japan almost exclusively. While the companies targeted by the recent campaign are in the United States and other countries, they all have ties to Japan or Japanese companies.

On the watch

“Japan-affiliated organizations should be on the alert as it is clear that they are a prime target of this sophisticated and well-equipped group, with the automotive industry appearing to be a key target in this attack campaign,” researchers from security firm Symantec wrote in a statement. report. “However, with the wide range of industries targeted by these attacks, Japanese organizations across all industries should be aware of the risk of this type of activity.”

The attacks make extensive use of DLL side-loading, a technique that occurs when attackers replace a legitimate Windows Dynamic Link Library file with a malicious one. Attackers use DLL side-loading to inject malware into legitimate processes so that they can prevent the hack from being detected by security software.

The campaign also uses a tool that Zerologon can exploit. Exploits work by sending a series of zeros in a sequence of messages that use the Netlogon protocol, which Windows servers use to allow users to log into networks. People without authentication can use Zerologon to access an organization’s crown jewels: the Active Directory domain controllers that act as an all-powerful gatekeeper for all machines connected to a network.

Microsoft patched the critical privilege escalation vulnerability in August, but since then attackers have been using it to compromise organizations that have yet to install the update. Both the FBI and the Department of Homeland Security have urged systems to be patched immediately.

Domain controllers and file servers were among the machines compromised in attacks discovered by Symantec. Investigators from the company also discovered evidence that files had been exfiltrated from some of the compromised machines.

Multiple regions and industries

Targets come from a variety of industries, including:

  • Automotive, with some manufacturers and organizations involved in supplying parts to the automotive industry also targeted, indicating that this is a sector of great interest to the attackers
  • Clothing
  • Conglomerates
  • Electronics
  • Engineering
  • General Trading Companies
  • Government
  • Industrial products
  • Managed Service Providers
  • production
  • Pharmaceutical
  • Professional services

Below is a map showing the physical location of the targets:

Symantec

Symantec linked the attacks to Cicada based on digital fingerprints found in the malware and attack code. The fingerprints include obfuscation techniques and shell code involved in DLL side-loading, as well as the following characteristics noted in this 2019 report from security firm Cylance:

  • Third stage DLL has an export named “FuckYouAnti”
  • Third stage DLL uses the CppHostCLR technique to inject and run the .NET loader assembly
  • .NET Loader is obfuscated with ConfuserEx v1.0.0
  • The final payload is QuasarRAT, an open source backdoor used by Cicada in the past

“The scale of operations also points to a group of Cicada’s size and capabilities,” the Symantec researchers wrote. “Attacking multiple large organizations in different regions simultaneously would require significant resources and skills generally only seen in nation-state-backed groups. The link that all victims have with Japan also points to Cicada, which was known to target Japanese organizations in the past.”

Leave a Comment