The DarkHotel (APT-C-06) Attacks Chinese Institutions at Abroad via Exploiting SangFor VPN Vulnerability
2020-04-05 23:57:47 Author: blogs.360.cn(查看原文) 阅读量:491 收藏

Recently, Qihoo 360 detected an APT attack that deliver malicious files through hijacked security services of a domestic VPN provider. We have reported the vulnerability details to the service provider and received confirmation. Further reversing shows that the attack can be attributed to the Darkhotel (APT-C-06), an APT gang in the Korean Peninsula. Since March this year, more than 200 VPN servers have been compromised and many Chinese institutions abroad were under attack. In early April, the attack spread to government agencies in Beijing and Shanghai.

The monitoring and analysis also suggest that a large number of VPN servers and endpoint devices in associated functioning units have been under the control of the attackers.

VPN (Virtual Private Network): A kind of secured communication tunnel that extends a private network across a public network and enables remote users and branch offices to access corporate applications and resources as if their computing devices were directly connected to the private network.

Especially in this global battle against the coronavirus pandemic, VPN plays an indispensable and important role in the remote telecommunication of enterprises and government agencies. This remote working mode is experiencing an upsurge. However, with the continuous spread of the pandemic, security experts also showed concerns about the security of VPN. Once VPNs are controlled by threat actors, the internal assets of many enterprises and institutions will be exposed to the public network, and the loss will be immeasurable.

All these worries came earlier than we expected.

With society shutting down, remote working is preferred under the pandemic

According to media reports, as of 2:03 am on April 3 (Beijing Time), the number of confirmed cases of COVID-19 in the world has exceeded 1 million, reaching 1,000,168 cases in total, with a death toll of 51,354.

The outbreak of coronavirus hit the global society hardly at the beginning of 2020. However, where there is suffering, there is reformation and hope. Just as the lockdown has been imposed in more and more countries, remote working is considered and embraced by state enterprises and institutions.

As we already know, the core of telecommuting is VPN. This also means that once the VPN vulnerability is exploited by a hacker to launch an attack, the whole unit using VPN for remote working is undoubtedly expsedto predictable risks.

Qihoo 360 detected attacks against Chinese diplomatic missions through hijacked VPN server launched by the Darkhotel Group

Recently, Qihoo 360 captured malicious samples issued through hijacked security services of a domestic VPN vendor. The targeted attack was initiated by Darkhotel (APT-C-06), a Peninsula APT Group, targeting Chinese institutions abroad abroad and relevant government units. Up to now, a large number of VPN users have been attacked.

image.png

What is Darkhotel?

Darkhotel is an advanced persistent threat gang that operates from East Asia and is behind a long-running series of cyberespionage-focused campaigns against corporate executives, government agencies, defense industry, electronics industry and other important institutions. Its footprints in the cyber realm are all over China, North Korea, Japan, Myanmar, Russia and other countries. Their operations can be traced back to as early as 2007.

This is not the first time that Darkhotel launches an attack on China. Earlier, Qihoo 360 had captured two 0day exploits (CVE-2019-17026 and CVE-2020-0674) used by this Peninsula APT gang to target Chinese government’s commercial agencies when Microsoft ended Windows 7 support.

How did it attack this time?

At the first,Qihoo 360 observed malicious behaviors in its security monitoring system. When users of the victim agency used VPN clients, the upgrade process triggered by default was hijacked by hackers. The upgrade program was replaced and embedded with backdoor by the hackers:

image.png

Next, researchers further raced to find that the attacker had breached the VPN server of the targets and replaced a program on the VPN server with a backdoor program. The attacker imitated the signature of legitimate program to disguise the backdoor which is hard for a common user to distinguish.

图片 1.png

Figure 1 Signature comparison between the Trojan (left) and normal upgrade program (right)

Then, Qihoo 360 conducted a reductive analysis of the attack activity and found that a deeply hidden vulnerability in the VPN client was used by the APT group. The vulnerability exists in an upgrade behavior that is triggered by default when the VPN client starts to connect to the server. The client will obtain upgrade from the configuration file at a fixed location on the connected VPN server, and download a program called SangforUD.exe. Due to the lack of security awareness of developers, there are security risks in the entire upgrade process. The client compares the version of the upgrade program without doing any other security checks. This leaves a security flaw that the hackers can tamper the upgrade configuration file and replace the upgrade program after hacking the VPN server. Then, the hackers can allocate backdoor to the user devices freely.

图片 2.png

Figure 2 Vulnerable code in the client of a domestic VPN manufacturer

In the end, Qihoo 360 successfully located the backdoor program. The attacker sophisticatedly designed the backdoor control method and executed the code by completely issuing shellcode from the Cloud. The entire attack process is very complicated and concealed.

图片 3.png

Figure 3 Backdoor attack process

After the backdoor program starts, it will first create a thread and access the remote C&C server to download the shellcode for execution.

648.png

Figure 4 shellcode executes and restore the pseudo code

The shellcode in the first stage will obtain the terminal's IP / MAC / system version / process and other software & hardware information and upload it to the remote C&C server.

643.png

Figure 5 Restore the shellcode in the first stage

In the second stage shellcode, the backdoor will start installing malicious DLL components, which persist in the system by hijacking the printer service. This resident method uses an old version of the system white file to carry out the hijacking attack. The attacker modifies the registry and installs the old version of the printer system component (TPWinPrn.dll) with the dll hijacking defect and uses this defect to load the core Backdoor malicious component (thinmon.dll).

image.png

Figure 6 Restore the malicious DLL component (1)

The core backdoor component thinmon.dll will decrypt another encrypted file sangfor_tmp_1.dat issued by the Cloud, start the dat file in one of three ways: loading, thread starting, or injecting process. The dat file finally implements malicious operations by interacting with the server.

image.png

Figure 7 Restore the malicious DLL component (2)

Why did Darkhotel (APT-C-06) launch the attack? What are the threats it posed?

At this moment, governments around the world are almost all in the bind because of COVID-19 coronavirus pandemic. Reasons may include:

  1. In the face of sudden outbreaks, many governments do not know what measures to take to create balancing between the restricted flow of people and traffic and economic development.
  2. In the same time, the lack of medical supplies and epidemic prevention materials is paralyzing the countries.
  3. Also, the increase of confirmed cases and death toll has caused panic among the people.

These may all constituted the motives of Darkhotel (APT-C-06) to attack our governments and overseas agencies during the outbreak.

Report from Qihoo 360 indicates the attacker has completely controlled the VPN server of the above-mentioned agencies, and replaced the key upgrade program on the VPN server with a backdoor program. When VPN users log in successfully, their devices will be fully trusted. Therefore, it can be said that the attacker a large number of endpoint devices have been under the control of the attackers.

According to Qihoo 360, Chinese agencies in the following countries were attacked:

  • Italy
  • United Kingdom
  • Pakistan
  • Kyrgyzstan
  • Indonesia
  • Thailand
  • UAE
  • Armenia
  • North Korea
  • Israel
  • Vietnam
  • Turkey
  • Malaysia
  • Iran
  • Ethiopia
  • Tajikistan
  • Afghanistan
  • Saudi Arabia
  • India

Imagine it, with the spreads of the coronavirus pandemic, diplomatic missions, enterprises and institutions have all adopted the remote working mode and employees in each unit will establish contact with the headquarters and transfer all sensitive data through the VPN. If the VPN server is compromised at this moment, the consequences will be unimaginable.

Based on this speculation, let’s take one step further

Attack targets: multiple Chinese institutions abroad

This year, the coronavirus broke out and entered its global phase quickly. After Chinese government took strict measures to fight the virus, now the outbreak has been controlled in China. But the pandemic is still going-on in a lot of countries. China, upholding the principle that the world is a community of shared future for mankind, has been providing all kinds of support to the infected countries, especially neighboring countries, the support include medical technology, equipment, experience, professional personnel and so on.

From the perspective of pandemic: This time, Darkhotel attacked many Chinese overseas agencies by breaking through VPN services. Is it intended to spy upon China's medical technology and virus-control measures during the epidemic? Is it also possible that, by attacking Chinese overseas agencies, the group real purpose is to grasp the supply transport routes, quantity, and equipment of the quarantine materials that China send to other countries around the world? What’s more, is it aiming at further probing into the medical data of the epidemic in more countries?

From an economic point of view: Another speculation is that, the group may also want to know the relationships between China and other countries by analyzing the political and economic transactions data as well as the economic mitigation measures, so as to further promote the rise of the national economy and balance the interests of various countries after the pandemic?

Attack targets: Beijing, Shanghai and other relevant government units

During the lockdown of the pandemic, major enterprises and institutions have adopted the Cloud-based working mode. Various remedy measures, economic decisions, work resumption notifications and corporate data have been issued or returned through VPN services. At this special time, is Darkhotel intended to obtain the national epidemic data and economic recovery strategy of China?

Qihoo 360 monitoring found that the following government agencies were attacked:

image.png

image.png

image.png

Why VPN is the breach?

By analyzing the vulnerability, it was found that the server version of the attacked domestic VPN vendor was XXX. R1. This version was released in 2014 which is very old and contains a lot of security vulnerabilities.

image.png

At the same time, the operation and maintenance staff of the relevant unit leaked a large amount of sensitive data of the clients they maintained for convenience, such as the backend operating system information, source code, username, and password on public available working pages. Two lists of the leaked IP addresses are as follows:

http://yuan*.cn/*/*.html

http://yuan*.cn/*/*.html

image.png

It is precisely because of the security vulnerabilities in the critical infrastructure and the weak security awareness of the relevant personnel that the VPN server is hacked.

The vulnerability reporting timeline

  • April 3, 2020, Qihoo 360 reported the vulnerability to the sangfor Security Response Center. The official confirmed vulnerability number (SRC-2020-281) was followed up. 640.jpg

  • April 6, 2020 Sanfor officially released a security bulletin and launched a vulnerability response. 641.png

Qihoo 360 recommend the following mitigations:

  1. The administrator should refers to the manufacturer's guidance to upgrade their VPN server system to the latest version and install security patches.
  2. Restrict access to the VPN server's 4430 management console port from any external network or untrusted IP to block attacks against the VPN server.
  3. Strengthen the account protection by using strong passwords with higher security level to prevent the administrator’s password from brute cracking.
  4. VPN users should avoid using EasyConnect to connect to untrusted VPN servers.
  5. VPN users are recommended to use 360SecurityGuard to fully scan all disks and enable real-time protection against attacks of this vulnerability.

Qihoo 360 – Threat Intelligence Center

Since 2014, Qihoo 360 - Advanced Threat Intelligence Center has achieved rapid reversing and correlation analysis by integrating massive security big data. It has exclusively discovered more than 40 APT hacking groups and a number of APT operations against China launched by national states threat actors using in-the-wild 0days, which greatly enriches the domestic researches in this field. Their researches show the earliest attack against China can be dated back to 2007 and tens of thousands of devices distributed in 31 provinces were affected. APT attacks discovered by Qihoo 360 and national states security vendors both prove that China is one of the main victims of APT attacks.


文章来源: http://blogs.360.cn/post/APT_Darkhotel_attacks_during_coronavirus_pandemic.html
如有侵权请联系:admin#unsafe.sh