Cyber-espionage campaigns linked to China attacked telecoms via Proxy Logon bugs, stealing call records & maintaining persistence, as far back as 2017.
Threat players linked to China exploited the notorious Microsoft Exchange Proxy Logon vulnerabilities long before they were publicly disclosed, in attacks against telecommunications companies aimed at stealing sensitive customer data & maintaining network persistence, researchers have found.
Researchers from Cybereason have been tracking multiple cyber-espionage campaigns – collectively dubbed “Dead Ringer” – since 2017, reporting initially on findings that a Chinese threat group dubbed ‘Soft Cell’ was targeting billing servers to steal call records from telecoms in Africa, the Middle East, Europe & Asia in 2019.
A report released Tues. builds upon this research, identifying 2 new threat groups – Naikon APT & Group-3390 – that also appear to be working for China’s regime to compromise billing servers to steal telco call records as well as maintain persistent access to their networks through other core components, according to the report.
The report also reveals that Soft Cell targeted a set of Microsoft Exchange vulnerabilities collectively known as Proxy Logon “long before they became publicly known,” researchers wrote. These vulnerabilities spurred a frenzy of attacks earlier this year before Microsoft mitigations & patches began to take effect.
Indeed, threat players used similar tactics to those exposed recently in the Hafnium zero-day attacks – which were recently blamed on China & condemned by the White House – that exploited Proxy Logon vulnerabilities in Microsoft Exchange Servers to gain access to the targeted networks, according to the report.
The attacks show an aggressive assault by China on the security of critical infrastructure that – similarly to the SolarWinds & Kaseya attacks – compromise 3rd-party service providers to ultimately attack their customers while undermining those trust relationships & causing other collateral damage, Cybereason CEO & Co-Founder Lior Div stated.
“These state-sponsored espionage operations not only negatively impact the telecoms’ customers & business partners, but they also have the potential to threaten the national security of countries in the region & those who have a vested interest in the region’s stability,” he said in a press statement.
Related Separate Attacks
Specifically, researchers have identified 3 clusters of attacks that show a common agenda but use different tactics as a means to accomplish it. Overall, the attackers are “highly adaptive” & have been successful at obscuring their activity to maintain persistence on victims’ networks, with some having managed to evade detection since 2017, researchers explained.
Dubbed Cluster A, the Soft Cell attacks on telecoms in multiple regions – including Southeast Asia – started in 2018 & continued through the 1st quarter of this year.
These attackers leverage Microsoft Exchange vulnerabilities to install the China Chopper Webshell & gain a foothold using the Pc Share backdoor. Attackers then use various tools to perform reconnaissance, move laterally on the network, & steal credentials & data.
People’s Liberation Army
Naikon APT, a cyber espionage group attributed to the Chinese People’s Liberation Army’s (PLA) Chengdu Military Region 2nd Technical Reconnaissance Bureau (Military Unit Cover Designator 78020 [PDF]), is behind the Cluster B attacks, researchers observed.
These attacks have been targeting telecom. companies in Southeast Asia since late 2020 & continued through the 1st quarter of 2021.
Researchers still don’t know how Naikon APT initially compromises its targeted networks but have observed the group using the Nebulae backdoor & other tools to perform similar activities to Soft Cell once attackers gain a foothold.
The Cluster C attacks are actually a “mini-cluster” that began in 2017, continued through Q1 2021 & are related to Soft Cell activity, researchers say. However, they also might be the work of Chinese APT Group-3390, given the use of a “unique OWA (Outlook Web Access) backdoor” deployed across multiple Microsoft Exchange & IIS servers in the attacks.
“The backdoor was used to harvest credentials of users logging into Microsoft OWA services, granting the attackers the ability to access the environment stealthily,” researchers wrote.
Researchers’ analysis of the backdoor “shows significant code similarities with a previously documented backdoor observed being used in the operation dubbed Iron Tiger,” which was attributed to Group-3390, they added.
Overall, overlaps throughout the 3 clusters “are evidence of a likely connection between the threat actors” indicating that “each group was tasked with parallel objectives in monitoring the communications of specific high-value targets” by central command “aligned with Chinese state interests,” researchers concluded.