Show vulnerabilities with patch / with exploit
7 April 2020

DarkHotel APT uses VPN zero-day in attacks on Chinese government servers


DarkHotel APT uses VPN zero-day in attacks on Chinese government servers

Security researchers from Chinese security firm Qihoo 360 have discovered a massive hacking campaign aimed at Chinese government agencies. The campaign which is believed to be carried out by the DarkHotel APT has began in March targeting a Chinese VPN provider called SangFor, used by a number of Chinese governmental agencies. At least 200 VPN servers connecting to multiple endpoints were compromised, the threat intelligence team said.

The targets included Chinese agencies in Afghanistan, Armenia, Ethiopia, India, Indonesia, Iran, Israel, Italy, Kyrgyzstan, Malaysia, North Korea, Pakistan, Saudi Arabia, Tajikistan, Thailand, Turkey, UAE, United Kingdom and Vietnam, as well as domestic government institutions in Beijing and Shanghai.

In order to compromise Sangfor VPN servers, the threat actor exploited a vulnerability in the VPN client’s update mechanism that is triggered automatically when the VPN client connects to the server. Using this bug the attackers were able to replace a file named SangforUD.exe (this file is an update for the Sangfor VPN desktop app used to connect to Sangfor VPN servers) with a backdoored clone they created.

This allowed the hackers to plant a backdoor to the target devices and execute code via shellcode fetched from the cloud. The entire attack, researchers said, is very sophisticated and well-concealed. The shellcode gathers system information and sends it to the command and control server. In the second stage, the backdoor will install malicious DLL components, which persist in the system by hijacking the printer service.

The security firm reported the zero-day vulnerability to Sangfor on April 3, the vendor confirmed that Sangfor VPN servers running firmware versions M6.3R1 and M6.1 are vulnerable.

DarkHotel is an advanced persistent threat group that is believed to be operating from East Asia. Active since at least 2007, DarkHotel APT has been known for a long-running series of cyber espionage campaigns against corporate executives, government agencies, defense industry, electronics industry and other important sectors in China, North Korea, Japan, Myanmar, Russia and other countries.

Back to the list

Latest Posts

Vulnerability summary for the week: May 29, 2020

Vulnerability summary for the week: May 29, 2020

Weekly vulnerability digest.
29 May 2020
Japan defense data may have leaked after cyber attack on Japanese telecommunications giant NTT

Japan defense data may have leaked after cyber attack on Japanese telecommunications giant NTT

NTT Communications said hackers gained access to its internal network and stole information on 621 customers.
29 May 2020
Sandworm hacking group exploiting Exim flaw since at least 2019

Sandworm hacking group exploiting Exim flaw since at least 2019

The NSA is urging system administrators to update Exim by installing version 4.93 or newer to mitigate the vulnerability.
29 May 2020