China-linked APT10 leverages ZeroLogon exploits in recent attacks

Researchers uncovered a large-scale campaign conducted by China-linked APT10 targeting businesses using the recently-disclosed ZeroLogon vulnerability.

Symantec’s Threat Hunter Team, a Broadcom division, uncovered a global campaign conducted by a China-linked APT10 cyber-espionage group targeting businesses using the recently-disclosed ZeroLogon vulnerability. 

The group, also known as Cicada, Stone Panda, and Cloud Hopper, has been active at least since 2009, in April 2017 experts from PwC UK and BAE Systems uncovered a widespread hacking campaign, tracked as Operation Cloud Hopper, targeting managed service providers (MSPs) in multiple countries worldwide.

The group has been observed while attempting to exploit the Windows Zerologon vulnerability in attacks aimed at Japanese organizations from multiple industry sectors in 17 regions around the globe. Targeted sectors include:

• Automotive
• Clothing
• Conglomerates
• Electronics
• Engineering
• General Trading Company
• Government
• Industrial Products
• Managed Service Providers
• Manufacturing
• Pharmaceutical
• Professional Services

The latest campaign has been active since mid-October in 2019 and appears to be still ongoing.

The APT10 is well-resourced cyberespionage group that employed multiple tools and sophisticated techniques in its attacks. In the recent campaign, the attackers extensively used DLL side-loading and leveraged the ZeroLogon vulnerability.

Experts observed that attackers using a wide variety of living-off-the-land, dual-use, and publicly available tools.

Other attack techniques used by the group are network reconnaissance, credential theft, command-line utilities able to install browser root certificates and decode data, PowerShell scripts, and both RAR archiving and a legitimate cloud hosting service and data exfiltration.

The APT10 group also employed custom malware, tracked the Backdoor.Hartip, that was never detected before.

“Intelligence gathering and stealing information has generally been the motivation behind Cicada’s attacks in the past, and that would appear to be the case in this attack campaign too.” reads the report published by Symantec. “We observed the attackers archiving some folders of interest in these attacks, including in one organization folders relating to human resources (HR), audit and expense data, and meeting memos.”

The attribution to APT10 is based on multiple pieces of evidence, including clues in how code is obfuscated; the use of a Third-stage DLL with an export named “FuckYouAnti,” the use of QuasarRAT as the final payload.

“Cicada clearly still has access to a lot of resources and skills to allow it to carry out a sophisticated and wide-ranging campaign like this, so the group remains highly dangerous,” Symantec concludes. “Its use of a tool to exploit the recently disclosed ZeroLogon vulnerability and a custom backdoor […] show that it continues to evolve its tools and tactics to actively target its victims.”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, APT10)

[adrotate banner=”5″]

[adrotate banner=”13″]