19 November 2020

China-linked hackers caught exploiting ZeroLogon vulnerability in attacks against Japanese orgs


China-linked hackers caught exploiting ZeroLogon vulnerability in attacks against Japanese orgs

A large-scale cyber espionage campaign is underway with a focus on Japanese companies in multiple sectors, with automotive, pharmaceutical, and engineering sector, as well as managed service providers (MSPs) being top targets. That’s according to a new report from Symantec, a division of Broadcom.

The campaign appears to be the work of a well-resourced group known as Cicada (APT10, Stone Panda, Cloud Hopper) thought to be operating out of China. Cicada has been conducting espionage-type operations since 2009, and has historically been known to target Japan-linked organizations.

Cicada's latest campaign has been active since mid-October in 2019 and has continued up to at least October this year, with the hackers active on the networks of some of its victims for close to a year. In this recent campaign the attackers used a previously undocumented custom backdoor named Backdoor.Hartip by Symantec, as well as multiple living-off-the-land, dual-use, and publicly available tools and techniques, such as DLL side-loading, network reconnaissance, credential theft, command-line utilities able to install browser root certificates and decode data, PowerShell scripts, and both RAR archiving and a legitimate cloud hosting provider for the download, packaging, and exfiltration of stolen information.

The latest addition to the group’s arsenal is a tool capable of exploiting the ZeroLogon vulnerability (CVE-2020-1472), the elevation-of-privilege flaw in Windows, which allows attackers to spoof a domain controller account and then potentially use it to steal domain credentials, take over the domain, and completely compromise all Active Directory identity services. The vulnerability was patched by Microsoft on August 11, 2020. Over the past months, numerous reports emerged about the vulnerability being exploited in targeted attacks, namely by Iranian hackers.

“Cicada clearly still has access to a lot of resources and skills to allow it to carry out a sophisticated and wide-ranging campaign like this, so the group remains highly dangerous. Its use of a tool to exploit the recently disclosed ZeroLogon vulnerability and a custom backdoor that has not been observed by Symantec before show that it continues to evolve its tools and tactics to actively target its victims,” the researchers noted.

Back to the list

Latest Posts

Belden reveals data breach affecting current and former employees, business partners

Belden reveals data breach affecting current and former employees, business partners

The stolen information may have included names, birthdates, government-issued identification numbers, and bank account information.
26 November 2020
Hacker leaks usernames and passwords for nearly 50K vulnerable Fortinet VPN devices

Hacker leaks usernames and passwords for nearly 50K vulnerable Fortinet VPN devices

The data dump contains usernames, passwords, access levels, and the original unmasked IP addresses of users connected to the VPNs.
26 November 2020
FBI warns of spoofed FBI-related websites

FBI warns of spoofed FBI-related websites

Spoofed domains and email accounts could be used by foreign actors and cybercriminals to spread false information, deliver malware, or collect sensitive data.
25 November 2020