A Chinese-linked group of hackers that was thought to be dormant has been quietly targeting companies and government agencies for the last two years gathering useful data after stealing passwords and circumventing two-factor authentication, according to a new report from Netherlands-based Fox-IT. The firm believes that the hackers may belong to a group known as APT20 that is “likely working to support the interests of the Chinese government”.
The global hacking campaign dubbed “Operation Wocao” targeted a wide variety of industries, including aviation, construction, finance, health care, insurance, gambling and energy. The researchers said they have identified victims in 10 countries, including the U.S., the U.K., France, Germany and Italy. Attacks were also carried out in Brazil, Mexico, Portugal and Spain.
The hackers compromise target network via vulnerable web servers, such as servers running vulnerable versions of JBoss. Oftentimes, these servers have already been compromised with web shells, placed there by other threat actors.
“The actor actually leverages these other web shells for reconnaissance and initial lateral movement activity. After this initial reconnaissance the actor uploads one of its own web shells to the web server. Access as initially obtained to the compromised web server, for example through the uploaded web shell, is kept by the actor as a precaution in the event of losing the other primary method of persistent access, for example if the credentials for VPN accounts were to be reset,” the researchers explained.
“Just like most actors attempting to gain an extensive foothold into a network, the actor retrieves the credentials from domain administrators from the memory of systems where such credentials are used. Then by logging on to various domain controllers with these credentials, plain-text passwords and hashes are dumped from such servers using ProcDump or Mimikatz”.
Once gaining access to the target network, the attackers harvest credentials and attempt to obtain password for the victim’s password manager using a custom keylogger. They also leverage CheckAdmin tool to identify if privileged users are logged in on a target system. Apart from above mentioned, the group’s hacking arsenal also includes such tools as the XServer backdoor that provides simple backdoor functionality and can act as a proxy, a modified version of a publicly available socket tunnel, a web shell that supports command execution on both Unix and Windows hosts, a reconnaissance VBS script that supports multiple data retrieving functions, a custom process launcher tool used to launch a keylogger and other processes, and an OS scanner that is used to determine OS versions of systems connected to the network.
According to the researchers, at least in one case the group was able to obtain soft-token for RSA SecurID two-factor authentication system, which is typically generated on a separate device, such as a hardware token or mobile phone.
The threat actor puts a great effort into operational security removing file system based forensic traces of the group’s activities that makes it much harder for investigators to determine what happened after the fact.
“Overall the actor has been able to stay under the radar even though the tools and techniques they use for their hacking operations are relatively simple and to the point,” the researchers said.