As the Chinese government turns to virtual private networks (VPNs) to provide access to official resources for those working remotely amid the COVID-19 pandemic, the DarkHotel APT has seized the opportunity to target those VPNs in a zero-day attack, researchers said.
According to security analysts from Chinese firm Qihoo 360, attacks began in March on a Chinese VPN provider called SangFor, used by a number of Chinese governmental agencies. At least 200 VPN servers connecting to multiple endpoints were compromised as of the first week of April, they added.
The researchers said that the victims include Chinese agencies in Afghanistan, Armenia, Ethiopia, India, Indonesia, Iran, Israel, Italy, Kyrgyzstan, Malaysia, North Korea, Pakistan, Saudi Arabia, Tajikistan, Thailand, Turkey, UAE, United Kingdom and Vietnam; and, domestic government institutions in Beijing and Shanghai.
“Once VPNs are controlled by threat actors, the internal assets of many enterprises and institutions will be exposed to the public network, and the loss will be immeasurable,” Qihoo 360 researchers wrote in a posting on Monday.
The attack was carried out using a zero-day exploit, the firm found, adding that the campaign is complex and required a good deal of skill to execute.
“The vulnerability exists in an update that is triggered automatically when the VPN client starts to connect to the server,” according to the firm, which reported the bug to SangFor. “The client will obtain [an] update from the configuration file at a fixed location on the connected VPN server, and download a program called SangforUD.exe.”
The client unfortunately doesn’t make any security checks before downloading the executable. As a result, the researchers said, attackers can hijack the session, alter the update configuration file and replace the update program with their own malicious code.
“When users of the victim agencies used VPN clients, the update process triggered by default was hijacked by the hackers,” the researchers explained. “The update program was replaced and embedded with a backdoor…The attacker imitated the signature of legitimate program to disguise the backdoor and it is hard for a common user to distinguish.”
The vulnerability was found in a server version that SangFor released in 2014. The vendor issued a patch for the bug on Monday, and any admins running the software are encouraged to update their server software versions.
A Sophisticated Attack
Once the backdoor program executes as part of what the client believes is a normal update process, it sets up communication with a remote command-and-control (C2) server. It then downloads shellcode for execution.
The shellcode does a few things, starting with fingerprinting the infected machine. It collects the terminal’s IP/MAC/system version/process and other software and hardware information and sends it along to the C2.
Next, it installs various malicious libraries (DLL components) to set up persistence and load the core backdoor component, which is named thinmon.dll.
“Thinmon.dll will decrypt another encrypted file, ‘sangfor_tmp_1.dat,’ issued by the cloud, and start the .dat file in one of the three ways: Loading, thread-starting or injecting process,” the researchers explained.
The .dat file in turn offers attackers complete access to the infected endpoint.
“When VPN users log in successfully, their devices will be fully trusted,” they wrote. “Therefore, it can be said that the attacker a large number of endpoint devices have been under the control of the attackers.”
They added, “The attacker sophisticatedly designed the backdoor control method and executed the code by completely issuing shellcode from the cloud,” the researchers said. “The entire attack process is very complicated and concealed.”
Potential Attribution: DarkHotel
Qihoo 360 researchers have attributed the attack to DarkHotel, an APT associated with carrying out prior cyberespionage efforts in China, North Korea, Japan and the United States.
DarkHotel was first identified in 2014 by Kaspersky researchers, who said at the time that the group had been active since at least 2007. The APT first became known for targeting diplomats and corporate executives via Wi-Fi networks at luxury hotels – but it has widened its targeting over the years, while continuing to leverage zero-day vulnerabilities and exploits.
Earlier in 2020, DarkHotel was seen using Office documents for targeted attacks using a zero-day in Internet Explorer, and was fingered as the culprit behind a March attack on the World Health Organization (WHO). In that effort, the APT may have been looking for information on tests, vaccines or trial cures, according to researchers.
“This time, DarkHotel attacked many Chinese overseas agencies by breaking through VPN services,” according to Qihoo 360, which said that it arrived at its attribution conclusion via reverse engineering and code analysis. “Is it intended to spy upon China’s medical technology and virus-control measures during the epidemic? Is it also possible that, by attacking Chinese overseas agencies, the group real purpose is to grasp the supply transport routes, quantity and equipment of the quarantine materials that China sends to other countries around the world? What’s more, is it aiming at further probing into the medical data of the epidemic in more countries? At this special time, is Darkhotel intended to obtain the national epidemic data and economic recovery strategy of China?”
This speculation – and lack of attribution indicators in the post – caught the attention of at least one observer. Kaspersky researcher Brian Bartholomew tweeted that “in the future, there needs to be more supporting data to support claims.”
I’m going to be a bit blunt here. This write up is full of speculation, no evidence this was actually DatkHotel, and a ton of confirmation bias about targeting because of Covid. Not saying they’re wrong, but in the future, there needs to be more supporting data to support claims https://t.co/2K1ajklUwp
— Brian Bartholomew (@Mao_Ware) April 6, 2020
Qihoo 360 did not immediately respond to a request for comment.Do you suffer from Password Fatigue? On Wednesday April 8 at 2 p.m. ET join Duo Security and Threatpost as we explore a passwordless future. This FREE webinar maps out a future where modern authentication standards like WebAuthn significantly reduce a dependency on passwords. We’ll also explore how teaming with Microsoft can reduced reliance on passwords. Please register here and dare to ask, “Are passwords overrated?” in this sponsored webinar.