Original Post from Security Affairs
Author: Pierluigi Paganini
DarkHotel nation-state actor is exploiting a VPN zero-day to breach Chinese government agencies in Beijing and Shanghai
Chinese security-firm Qihoo 360 has uncovered a hacking campaign conducted by
The first Darkhotel espionage campaign was spotted by experts at Kaspersky Lab in late 2014, according to the researchers the APT group has been around for nearly a decade while targeting selected corporate executives traveling abroad.
Threat actors behind the Darkhotel campaign aimed to steal sensitive data from executives while they are staying in luxury hotels, they appeared high skilled professionals that exfiltrated data of interest with surgical precision and deleting any trace of their activity.
Since March, more than 200 VPN servers have been compromised by hackers, including 174 systems belonging to Chinese institutions abroad.
Experts observed Coronavirus-themed attacks launched by the group since March.
The coronavirus outbreak forced many individuals worldwide to work from home, including employees at state enterprises and institutions.
In this scenario, VPN are widely adopted, and it is not surprising that threat actors attempted to exploit vulnerabilities in VPN servers.
“Recently, Qihoo 360 captured malicious samples issued through hijacked security services of a domestic VPN vendor
Once the attackers have breached the target Sangfor VPN server exploiting a zero-day vulnerability, they replaced the SangforUD.exe program with a backdoored version that is hard to distinguish.
The SangforUD.exe executable is an update for the Sangfor VPN desktop app.
“The vulnerability exists in an update that is triggered automatically when the VPN client starts to connect to the server. The client will obtain
According to Qihoo360 the attacks are very sophisticated and concealed.
The security firm reported the zero-day vulnerability to Sangfor on April 3, the vendor confirmed that Sangfor VPN servers running firmware versions M6.3R1 and M6.1 are vulnerable.
Sangfor plans to release a security patched within tomorrow.
DarkHotel appears to very active in this period, experts reported that the group used other zero-day exploits in recently disclosed attacks.
The group exploited two vulnerabilities patched earlier this year in Firefox and Internet Explorer in attacks aimed at China and Japan.
Japan’s Computer Emergency Response Team Coordination Center (JPCERT/CC) published a report containing technical details on attacks exploiting both flaws and aimed at Japanese entities
Two weeks ago, Reuters reported an attack against the World Health Organization and attributed it to the DarkHotel APT group.
The post DarkHotel APT uses VPN zero-day in attacks on Chinese government agencies appeared first on Security Affairs.
Go to Source
Author: Pierluigi Paganini