A North Korean hacking group has just been accused of a very clever campaign against global Chinese government interests
SangFor
A number of attacks that exploit a zero-day vulnerability in a Chinese VPN provider called SangFor have been attributed to the DarkHotel APT by Chinese security experts.
Over 200 Sangfor SSL VPN servers had been hacked in this campaign it is claimed, which began in March 2020, & affecting Chinese agencies in the UK, Italy, and around the world, revealed researchers from Qihoo 360.
The researchers claimed that the campaign has been timed to exploit increased reliance on remote working caused by the Covid-19 pandemic to compromise the VPN company, used by a number of Chinese governmental agencies.
Zero-Day Vulnerability
The zero-day vulnerability exists in an update that is automatically activated when the VPN client starts to connect to the server, explained the report. The client will obtain an update from the configuration file at a fixed location on the connected VPN server, and download a program called SangforUD.exe.
“The client compares the version of the update program without doing any other security checks. This leaves a security flaw that the hackers can tamper the update configuration file and replace the update program after hacking the VPN server. Then, the hackers can allocate backdoor to the user devices without obstacle,” commented the report.
2014 version
It was also outlined that the “server version of the attacked domestic VPN vendor was XXX. R1. This 2014 version is very old and contains a lot of security vulnerabilities, it further added.
VPNs have become something of a recent target, Javvad Malik, security awareness advocate at KnowBe4, explained.
“In recent months, there have been a number of flaws reported in VPN providers. It was also revealed that some nation-state actors were actively seeking such vulnerable VPNs in order to gain a foothold into organisations. It’s an ironic twist whereby a security tool itself is leveraged by the criminals to gain access into an organisation. Fortunately patches for these vulnerabilities exist, and with more staff working remotely these days and therefore using the VPN, patching these systems and ensuring the security of corporate data should be of utmost importance.”
DarkHotel group
The DarkHotel group was identified back in 2014 by Kaspersky researchers, and became notorious for targeting diplomats via Wi-Fi networks at luxury hotels, as well as using an array of zero-day exploits. Other campaigns linked to the group have targeted China, North Korea, Japan & the US.
“If we accept that Qihoo has correctly attributed this activity to Dark Hotel, and that Dark Hotel is a North Korean actor, this report presents a few interesting findings,” observed Richard Bejtlich, principal security strategist at Corelight.
North Korean strategy unknown
“First, it is surprisingly risky for a North Korean actor to target assets in an allied country, especially one that provides financial and other critical support. Second, Qihoo would not be able to publish and maintain its findings without the approval of the Chinese government, so the PRC might be signalling its disapproval to the DPRK. Third, a combined approach that integrates server-side and client-side techniques, at the scale indicated by Qihoo, is a sign that the DPRK has improved its offensive asset management capabilities.”
Chinese Government
The report is also indicative that the Chinese Government is not prepared to tolerate this.
Kaspersky security researcher Brian Bartholomew issued a stark tweet on the report.
“This write up is full of speculation, no evidence this was actually DatkHotel, and a ton of confirmation bias about targeting because of Covid. Not saying they’re wrong, but in the future, there needs to be more supporting data to support claims,”
Matt Walmsley, EMEA Director at Vectra, surmised that British firms might expect less of an impact from this particular campaign, but that lessons could still be learned.
“Exploiting VPN equipment vulnerabilities is nothing new, although using the equipment VPN client update service is a somewhat interesting propagation method. That this is centred on a Chinese vendor’s equipment and PRC targets is more unusual, and so will likely mean it has lesser impact to UK organisations,” he said.
Questions
“More than ever, organisations need visibility into their remote users’ VPN connections and behaviours in order to answer questions such as, ‘How many of my remote employees may have been logged in on multiple devices?’ ‘Are those devices corporately managed?’ ‘Where is the risk of credential sharing?’.”
By gaining this visibility, organisations can understand their exposure, and take steps to manage risk, such as automating the detection and response to attacker behaviour and privilege abuse, he explained.
“Keeping your VPN equipment’s software patching up to date is critical too!”
Bad State Actors
Now more that ever it appears to be very dangerous times when even ‘bad state actors’ are prepared to hack one-another and risk massive retaliation.
