A large-scale cyber espionage campaign is underway with a focus on Japanese companies in multiple sectors, with automotive, pharmaceutical, and engineering sector, as well as managed service providers (MSPs) being top targets. That’s according to a new report from Symantec, a division of Broadcom.
The campaign appears to be the work of a well-resourced group known as Cicada (APT10, Stone Panda, Cloud Hopper) thought to be operating out of China. Cicada has been conducting espionage-type operations since 2009, and has historically been known to target Japan-linked organizations.
Cicada's latest campaign has been active since mid-October in 2019 and has continued up to at least October this year, with the hackers active on the networks of some of its victims for close to a year. In this recent campaign the attackers used a previously undocumented custom backdoor named Backdoor.Hartip by Symantec, as well as multiple living-off-the-land, dual-use, and publicly available tools and techniques, such as DLL side-loading, network reconnaissance, credential theft, command-line utilities able to install browser root certificates and decode data, PowerShell scripts, and both RAR archiving and a legitimate cloud hosting provider for the download, packaging, and exfiltration of stolen information.
The latest addition to the group’s arsenal is a tool capable of exploiting the ZeroLogon vulnerability (CVE-2020-1472), the elevation-of-privilege flaw in Windows, which allows attackers to spoof a domain controller account and then potentially use it to steal domain credentials, take over the domain, and completely compromise all Active Directory identity services. The vulnerability was patched by Microsoft on August 11, 2020. Over the past months, numerous reports emerged about the vulnerability being exploited in targeted attacks, namely by Iranian hackers.
“Cicada clearly still has access to a lot of resources and skills to allow it to carry out a sophisticated and wide-ranging campaign like this, so the group remains highly dangerous. Its use of a tool to exploit the recently disclosed ZeroLogon vulnerability and a custom backdoor that has not been observed by Symantec before show that it continues to evolve its tools and tactics to actively target its victims,” the researchers noted.