China-linked APT10 leverages ZeroLogon exploits in recent attacksSecurity Affairs

Researchers discovered a large-scale campaign by the Chinese company APT10 aimed at companies using the newly discovered ZeroLogon vulnerability.

The Symantec Threat Hunter Team, a division of Broadcom, has uncovered a global campaign led by China-affiliated cyber-espionage group APT10 targeting companies exploiting the newly discovered vulnerability of ZeroLogon.

The group, also known as the cicada, the stone panda and the grasshopper, has been active at least since 2009. In April 2017, experts from PwC UK and BAE Systems discovered a massive hacking campaign known as Operation Cloud Hopper, aimed at managed service providers (MSPs) in many countries around the world.

The group has tried to exploit the vulnerability of Windows Zerologon in attacks on Japanese organizations in various industries in 17 regions of the world. The target areas are

  • Automotive industry
  • Clothing
  • Conglomerates
  • Electronics
  • Technology
  • General trading company
  • Government
  • Industrial goods
  • managed service provider
  • Production
  • Pharmaceutical products
  • Professional services

The last campaign started in mid-October 2019 and does not seem to be over yet.

APT10 is a well-equipped eSportsmen group that uses many advanced tools and techniques in its attacks. In a recent campaign, assailants exploited the DLL’s lateral loads and ZeroLogon’s vulnerability.

The experts found that abusers use a wide range of tools designed for borderless, dual use and public access.

Other attack methods used by the group include network intelligence, account theft, command line utilities that can install browser root certificates and decrypt data, PowerShell scripts, RAR archiving and legitimate cloud hosting service, and data filtering.

The APT10 group also used its own malware to detect Backdoor.Hartip, which had never been detected before.

In the past, collecting and stealing information was rather the motive for cicada attacks, and that seems to be the case in this attack campaign as well. We have seen that the attackers have archived a number of interesting files related to these attacks, including a unique organizational file that refers to human resources (HR), audit data and expenses, and session notes.

The allocation to APT10 is based on a multitude of evidence, including evidence of how the code is obscured; the use of a three-level DLL with export called FuckYouAnti; and the use of QuasarRAT as the final cargo.

Apparently, Cicada still has access to a lot of resources and expertise to run a campaign as complex and important as this one, so the group remains extremely dangerous, Symantec concludes. His use of the tool to exploit the recently discovered ZeroLogon vulnerability and the user’s back door […] shows that he continues to develop his tools and tactics to actively address his victims.

Pierluigi Paganini

(Security issues – Hacking, APT10)




Related Tags:

drovorub malware ioc,ransomexx,virustotal