A huge hacking operation has been uncovered as Chinese
government agencies and their employees were attacked by foreign
state-sponsored hackers, known as DarkHotel.
According to Qihoo, the Chinese security company that uncovered the infiltrations, the hackers began their operation last month, and it could be linked with the current COVID-19 pandemic .
The hackers utilized the zero-day vulnerability Sangfor VPN server to gain remote access to
government and enterprise networks.
Qihoo reported that it found out that the hackers have
infiltrated about 200 VPN servers in the campaign. Out of the number, 174 of
them are servers from government agencies in Shanghai and Beijing, as well as
the servers of Chinese diplomatic missions based abroad.
The affected servers from Chinese diplomatic missions
abroad are from Israel, Armenia, UAE, Thailand, Indonesia, Pakistan, Ethiopia,
Iran, Turkey, the United Kingdom, and Italy. Others include India, Saudi
Arabia, Afghanistan, Tajikistan, and Vietnam.
Qihoo published a report today, stating that the attack
pattern was very clever and sophisticated, indicating that it could have been
carried out by government-sponsored actors.
Hackers utilized the zero-day to gain
access to Sangfor VPN servers, where the filename SangforUD.exe was replaced
with the boobytrapped version.
The file provides updates for the
desktop app of Sangfor VPN, which are installed by employees when they are
connecting to Sangfor servers and subsequently to their work stations.
According to the researchers, when the
employees connect to the infiltrated Sangfor VPN servers, they are given
automatic updates to the desktop client. However, in actual sense, they will be
receiving the boobytrapped Sangfor.exe file, which subsequently installs a
backdoor Trojan on their systems.
Qihoo noted that during its observation, the research team was able to connect the hacking syndicate to the DarkHotel group. From what is known about the hacking group, it operates around the Korean peninsula, but it’s not known whether they are operating from South or North Korea.
DarkHotel has been operating since 2007 and is known as one
of the most sophisticated government-backed hacking syndicate.
Google published a report about the group last month. In
the report, Google said the hacking syndicate used an enormous amount of zero-day vulnerabilities last year, which is higher
than other government-sponsored operations. It seems the group has continued
where it stopped last year.
“We are only a few months into the year, but there are
already 3 zero-day attacks from DarkHotel, with Sangfor VPN zero-day being the
third,” said Qihoo.
The syndicate has also utilized zero-days for the internet
explorer and Firefox browsers to attack government institutions in Japan and
China.
Qihoo pointed out that the attack on Chinese government
agencies may be linked with the recent COVID-19 pandemic. According to the
security firm, DarkHotel may be looking for information regarding the strategic
plans the Chinese government implemented to handle the outbreak.
DarkHotel’s attack
on Chinese government agencies is in line with the group’s recent operation on
the World Health Organization (WHO). Two weeks ago, the group struck WHO , the international
organization that coordinates the global responsibility for the pandemic.
Qihoo reiterated that after discovering the attack, it contacted Sangfor on April 3 with details of the attack. Although Sangfor refused to comment on the attacks, it published a report, stating that the only vulnerable servers are the Sangfor servers running firmware versions M6.1 and M6.3R1. The statement revealed that other servers are clean and are not affected by the zero-day used by DarkHotel.
Sangfor revealed that it will have all the patches for the
vulnerability ready by tomorrow. Today, the patches for the SSL VPN server will
be ready, while other older versions will be available tomorrow.
Furthermore, the company wants to release a script that
will delete files installed by DarkHotel. It also plans to release another
script to find out whether other VPN servers have been infiltrated by hackers.
uk cc shop card mafia cvv
Categories