Report: Chinese Hacking Group Targeted European MSP Serving Hundreds of Thousands of Customers Worldwide

A cyber espionage campaign targeting at least three companies in the US and Europe was uncovered by Recorded Future and Rapid7 between November 2017 and September 2018, says a report published by Future Record.

“Based on the technical data uncovered, and in light of recent disclosures by the US Department of Justice on the ongoing activities of Chinese state-sponsored threat actors, we assess with high confidence that these incidents were conducted by APT10 (also known as Stone Panda, menuPass, CVNX) in an effort to gain access to networks and steal valuable intellectual property or gain commercial advantage.

“The targeted companies included the IT and business cloud services managed service provider (MSP) Visma – a billion-dollar Norwegian company with at least 850,000 customers globally; an international apparel company; and a US law firm with strong experience in intellectual property law with clients in the pharmaceutical, technology, electronics, biomedical, and automotive sectors, among others.

“Rapid7’s investigation revealed the law firm was first targeted in late 2017, followed by the apparel company a few months later, and finally, the Visma attack in August 2018.

“In all three incidents, the attackers gained access to networks through deployments of Citrix and LogMeIn remote-access software using stolen valid user credentials. The attackers then enumerated access and conducted privilege escalation on the victim networks, utilizing DLL sideloading techniques… to deliver malware.

“In all three incidents, APT10 actors used previously acquired legitimate credentials, possibly gained via a third-party supply chain compromise in order to gain initial access to the law firm and the apparel company.

APT10 actors gained initial access to the Visma network around August 17, 2018, using stolen employee Citrix remote desktop credentials. “This was followed by an initial exploitation, network enumeration, and malicious tool deployment on various Visma endpoints within two weeks of initial access. The theft of enterprise login credentials was conducted within two and a half weeks of initial access.”

“In order to exfiltrate the compromised data, the attackers employed custom malware that used Dropbox as its C2,” the report adds.

“On August 30, 2018, APT10 attackers used their access to the network to move laterally and made their first deployment of an RC4- and Salsa20-encrypted variant of the Trochilus malware using a previously associated DLL sideloading technique. Two separate infection chains leveraging this specific DLL sideloading technique were identified on the Visma network using legitimate known good binaries that had DLL search-order path issues. This means that APT10 actors had two separate access points into the Visma network.”

“We believe APT10 is the most significant known Chinese state-sponsored cyber threat to global corporations. Their unprecedented campaign against MSPs in order to conduct secondary attacks against their clients, grants the Chinese state the ability to potentially access the networks of hundreds (if not thousands) of corporations around the world,” the researchers conclude.

You might be interested also