Recently, Qihoo 360 detected an APT attack that deliver malicious files through hijacked security services of a domestic VPN provider. We have reported the vulnerability details to the service provider and received confirmation. Further reversing shows that the attack can be attributed to the Darkhotel (APT-C-06), an APT gang in the Korean Peninsula. Since March this year, more than 200 VPN servers have been compromised and many Chinese institutions abroad were under attack. In early April, the attack spread to government agencies in Beijing and Shanghai.
The monitoring and analysis also suggest that a large number of VPN servers and endpoint devices in associated functioning units have been under the control of the attackers.
VPN (Virtual Private Network): A kind of secured communication tunnel that extends a private network across a public network and enables remote users and branch offices to access corporate applications and resources as if their computing devices were directly connected to the private network.
Especially in this global battle against the coronavirus pandemic, VPN plays an indispensable and important role in the remote telecommunication of enterprises and government agencies. This remote working mode is experiencing an upsurge. However, with the continuous spread of the pandemic, security experts also showed concerns about the security of VPN. Once VPNs are controlled by threat actors, the internal assets of many enterprises and institutions will be exposed to the public network, and the loss will be immeasurable.
All these worries came earlier than we expected.
According to media reports, as of 2:03 am on April 3 (Beijing Time), the number of confirmed cases of COVID-19 in the world has exceeded 1 million, reaching 1,000,168 cases in total, with a death toll of 51,354.
The outbreak of coronavirus hit the global society hardly at the beginning of 2020. However, where there is suffering, there is reformation and hope. Just as the lockdown has been imposed in more and more countries, remote working is considered and embraced by state enterprises and institutions.
As we already know, the core of telecommuting is VPN. This also means that once the VPN vulnerability is exploited by a hacker to launch an attack, the whole unit using VPN for remote working is undoubtedly expsedto predictable risks.
Recently, Qihoo 360 captured malicious samples issued through hijacked security services of a domestic VPN vendor. The targeted attack was initiated by Darkhotel (APT-C-06), a Peninsula APT Group, targeting Chinese institutions abroad abroad and relevant government units. Up to now, a large number of VPN users have been attacked.
Darkhotel is an advanced persistent threat gang that operates from East Asia and is behind a long-running series of cyberespionage-focused campaigns against corporate executives, government agencies, defense industry, electronics industry and other important institutions. Its footprints in the cyber realm are all over China, North Korea, Japan, Myanmar, Russia and other countries. Their operations can be traced back to as early as 2007.
This is not the first time that Darkhotel launches an attack on China. Earlier, Qihoo 360 had captured two 0day exploits (CVE-2019-17026 and CVE-2020-0674) used by this Peninsula APT gang to target Chinese government’s commercial agencies when Microsoft ended Windows 7 support.
At the first,Qihoo 360 observed malicious behaviors in its security monitoring system. When users of the victim agency used VPN clients, the upgrade process triggered by default was hijacked by hackers. The upgrade program was replaced and embedded with backdoor by the hackers:
Next, researchers further raced to find that the attacker had breached the VPN server of the targets and replaced a program on the VPN server with a backdoor program. The attacker imitated the signature of legitimate program to disguise the backdoor which is hard for a common user to distinguish.
Figure 1 Signature comparison between the Trojan (left) and normal upgrade program (right)
Then, Qihoo 360 conducted a reductive analysis of the attack activity and found that a deeply hidden vulnerability in the VPN client was used by the APT group. The vulnerability exists in an upgrade behavior that is triggered by default when the VPN client starts to connect to the server. The client will obtain upgrade from the configuration file at a fixed location on the connected VPN server, and download a program called SangforUD.exe. Due to the lack of security awareness of developers, there are security risks in the entire upgrade process. The client compares the version of the upgrade program without doing any other security checks. This leaves a security flaw that the hackers can tamper the upgrade configuration file and replace the upgrade program after hacking the VPN server. Then, the hackers can allocate backdoor to the user devices freely.
Figure 2 Vulnerable code in the client of a domestic VPN manufacturer
In the end, Qihoo 360 successfully located the backdoor program. The attacker sophisticatedly designed the backdoor control method and executed the code by completely issuing shellcode from the Cloud. The entire attack process is very complicated and concealed.
Figure 3 Backdoor attack process
After the backdoor program starts, it will first create a thread and access the remote C&C server to download the shellcode for execution.
Figure 4 shellcode executes and restore the pseudo code
The shellcode in the first stage will obtain the terminal's IP / MAC / system version / process and other software & hardware information and upload it to the remote C&C server.
Figure 5 Restore the shellcode in the first stage
In the second stage shellcode, the backdoor will start installing malicious DLL components, which persist in the system by hijacking the printer service. This resident method uses an old version of the system white file to carry out the hijacking attack. The attacker modifies the registry and installs the old version of the printer system component (TPWinPrn.dll) with the dll hijacking defect and uses this defect to load the core Backdoor malicious component (thinmon.dll).
Figure 6 Restore the malicious DLL component (1)
The core backdoor component thinmon.dll will decrypt another encrypted file sangfor_tmp_1.dat issued by the Cloud, start the dat file in one of three ways: loading, thread starting, or injecting process. The dat file finally implements malicious operations by interacting with the server.
Figure 7 Restore the malicious DLL component (2)
At this moment, governments around the world are almost all in the bind because of COVID-19 coronavirus pandemic. Reasons may include:
These may all constituted the motives of Darkhotel (APT-C-06) to attack our governments and overseas agencies during the outbreak.
Report from Qihoo 360 indicates the attacker has completely controlled the VPN server of the above-mentioned agencies, and replaced the key upgrade program on the VPN server with a backdoor program. When VPN users log in successfully, their devices will be fully trusted. Therefore, it can be said that the attacker a large number of endpoint devices have been under the control of the attackers.
According to Qihoo 360, Chinese agencies in the following countries were attacked:
Imagine it, with the spreads of the coronavirus pandemic, diplomatic missions, enterprises and institutions have all adopted the remote working mode and employees in each unit will establish contact with the headquarters and transfer all sensitive data through the VPN. If the VPN server is compromised at this moment, the consequences will be unimaginable.
Attack targets: multiple Chinese institutions abroad
This year, the coronavirus broke out and entered its global phase quickly. After Chinese government took strict measures to fight the virus, now the outbreak has been controlled in China. But the pandemic is still going-on in a lot of countries. China, upholding the principle that the world is a community of shared future for mankind, has been providing all kinds of support to the infected countries, especially neighboring countries, the support include medical technology, equipment, experience, professional personnel and so on.
From the perspective of pandemic: This time, Darkhotel attacked many Chinese overseas agencies by breaking through VPN services. Is it intended to spy upon China's medical technology and virus-control measures during the epidemic? Is it also possible that, by attacking Chinese overseas agencies, the group real purpose is to grasp the supply transport routes, quantity, and equipment of the quarantine materials that China send to other countries around the world? What’s more, is it aiming at further probing into the medical data of the epidemic in more countries?
From an economic point of view: Another speculation is that, the group may also want to know the relationships between China and other countries by analyzing the political and economic transactions data as well as the economic mitigation measures, so as to further promote the rise of the national economy and balance the interests of various countries after the pandemic?
Attack targets: Beijing, Shanghai and other relevant government units
During the lockdown of the pandemic, major enterprises and institutions have adopted the Cloud-based working mode. Various remedy measures, economic decisions, work resumption notifications and corporate data have been issued or returned through VPN services. At this special time, is Darkhotel intended to obtain the national epidemic data and economic recovery strategy of China?
Qihoo 360 monitoring found that the following government agencies were attacked:
By analyzing the vulnerability, it was found that the server version of the attacked domestic VPN vendor was XXX. R1. This version was released in 2014 which is very old and contains a lot of security vulnerabilities.
At the same time, the operation and maintenance staff of the relevant unit leaked a large amount of sensitive data of the clients they maintained for convenience, such as the backend operating system information, source code, username, and password on public available working pages. Two lists of the leaked IP addresses are as follows:
It is precisely because of the security vulnerabilities in the critical infrastructure and the weak security awareness of the relevant personnel that the VPN server is hacked.
April 3, 2020, Qihoo 360 reported the vulnerability to the sangfor Security Response Center. The official confirmed vulnerability number (SRC-2020-281) was followed up.
April 6, 2020 Sanfor officially released a security bulletin and launched a vulnerability response.
Qihoo 360 recommend the following mitigations:
Qihoo 360 – Threat Intelligence Center
Since 2014, Qihoo 360 - Advanced Threat Intelligence Center has achieved rapid reversing and correlation analysis by integrating massive security big data. It has exclusively discovered more than 40 APT hacking groups and a number of APT operations against China launched by national states threat actors using in-the-wild 0days, which greatly enriches the domestic researches in this field. Their researches show the earliest attack against China can be dated back to 2007 and tens of thousands of devices distributed in 31 provinces were affected. APT attacks discovered by Qihoo 360 and national states security vendors both prove that China is one of the main victims of APT attacks.