Security researchers have discovered another Chinese state-sponsored APT campaign, this time targeting a major European MSP with the likely intent of stealing IP from its customers.
Recorded Future and Rapid7 claimed in a new co-authored report that the notorious APT10 group, linked to China’s fearsome Ministry of State Security (MSS), was responsible for the campaign, running between November 2017 and September 2018.
It is said to have targeted Norwegian provider Visma, which has 850,000 customers around the globe, as well as a multi-national clothing giant and a US law firm with strong experience in IP law and clients in pharma, tech, automotive and other sectors.
The initial entry point in all three cases was stolen Citrix/LogMeIn credentials, enabling remote network access.
“The attackers then enumerated access and conducted privilege escalation on the victim networks, utilizing DLL sideloading techniques documented in a US-CERT alert on APT10 to deliver malware,” the report continued.
“During the Visma intrusion, APT10 deployed their Trochilus malware with command and control (C2) communications encrypted using both RC4 and Salsa20 streaming ciphers rather than the typically observed RC4 variant. On the two other victim networks, the attackers deployed a unique version of the UPPERCUT (ANEL) backdoor, known to have only been used by APT10.”
Visma data was compressed using WinRAR and exfiltrated to a Dropbox account using the cURL for Windows command-line tool. The same account was used to store data from the other breaches.
The MSS has been previously blamed for Operation Cloud Hopper, a major multi-year campaign targeting MSPs around the world which resulted in the indictment of two suspected state hackers late last year.
“Unfortunately, this is the type of nefarious behavior we witness regularly, but there are steps organizations can take to combat these issues. For example, we recommend implementing two-factor authentication for everything,” advised Rapid7 principal MDR analyts, Eoin Miller.
“Additionally, strengthening the reviews of authentication attempts against low cost VPN providers or 'out of the norm' networks or countries for an individual user is equally important. Organizations should also consider implementing extremely strict application white-listing on sensitive systems."