7 April 2020

DarkHotel APT uses VPN zero-day in attacks on Chinese government servers


DarkHotel APT uses VPN zero-day in attacks on Chinese government servers

Security researchers from Chinese security firm Qihoo 360 have discovered a massive hacking campaign aimed at Chinese government agencies. The campaign which is believed to be carried out by the DarkHotel APT has began in March targeting a Chinese VPN provider called SangFor, used by a number of Chinese governmental agencies. At least 200 VPN servers connecting to multiple endpoints were compromised, the threat intelligence team said.

The targets included Chinese agencies in Afghanistan, Armenia, Ethiopia, India, Indonesia, Iran, Israel, Italy, Kyrgyzstan, Malaysia, North Korea, Pakistan, Saudi Arabia, Tajikistan, Thailand, Turkey, UAE, United Kingdom and Vietnam, as well as domestic government institutions in Beijing and Shanghai.

In order to compromise Sangfor VPN servers, the threat actor exploited a vulnerability in the VPN client’s update mechanism that is triggered automatically when the VPN client connects to the server. Using this bug the attackers were able to replace a file named SangforUD.exe (this file is an update for the Sangfor VPN desktop app used to connect to Sangfor VPN servers) with a backdoored clone they created.

This allowed the hackers to plant a backdoor to the target devices and execute code via shellcode fetched from the cloud. The entire attack, researchers said, is very sophisticated and well-concealed. The shellcode gathers system information and sends it to the command and control server. In the second stage, the backdoor will install malicious DLL components, which persist in the system by hijacking the printer service.

The security firm reported the zero-day vulnerability to Sangfor on April 3, the vendor confirmed that Sangfor VPN servers running firmware versions M6.3R1 and M6.1 are vulnerable.

DarkHotel is an advanced persistent threat group that is believed to be operating from East Asia. Active since at least 2007, DarkHotel APT has been known for a long-running series of cyber espionage campaigns against corporate executives, government agencies, defense industry, electronics industry and other important sectors in China, North Korea, Japan, Myanmar, Russia and other countries.

Back to the list

Latest Posts

French healthcare software company Apodis Pharma leaked over 1.7 TB of confidential data

French healthcare software company Apodis Pharma leaked over 1.7 TB of confidential data

The exposed database contained confidential business-related data, including pharmaceutical sales data and full names of Apodis Pharma partners and employees.
2 December 2020
DarkIRC botnet is actively targeting vulnerable Oracle WebLogic servers

DarkIRC botnet is actively targeting vulnerable Oracle WebLogic servers

The researchers found more than 3,000 internet-exposed Oracle WebLogic servers potentially vulnerable to attacks exploiting CVE-2020-14882.
2 December 2020
Malicious npm packages caught distributing Bladabindi RAT

Malicious npm packages caught distributing Bladabindi RAT

The two packages named jdb.js and db-json.js were created by the same author and were posing as the legitimate jdb and db-json libraries.
2 December 2020