Posted on April 6, 2020 at 3:08 PM
Chinese Government Agencies Attacked by DarkHotel Using VPN Zero-Day
A huge hacking operation has been uncovered as Chinese government agencies and their employees were attacked by foreign state-sponsored hackers, known as DarkHotel.
According to Qihoo, the Chinese security company that uncovered the infiltrations, the hackers began their operation last month, and it could be linked with the current COVID-19 pandemic.
The hackers utilized the zero-day vulnerability Sangfor VPN server to gain remote access to government and enterprise networks.
About 200 VPN servers infected
Qihoo reported that it found out that the hackers have infiltrated about 200 VPN servers in the campaign. Out of the number, 174 of them are servers from government agencies in Shanghai and Beijing, as well as the servers of Chinese diplomatic missions based abroad.
The affected servers from Chinese diplomatic missions abroad are from Israel, Armenia, UAE, Thailand, Indonesia, Pakistan, Ethiopia, Iran, Turkey, the United Kingdom, and Italy. Others include India, Saudi Arabia, Afghanistan, Tajikistan, and Vietnam.
Nature of attack pattern
Qihoo published a report today, stating that the attack pattern was very clever and sophisticated, indicating that it could have been carried out by government-sponsored actors.
Hackers utilized the zero-day to gain access to Sangfor VPN servers, where the filename SangforUD.exe was replaced with the boobytrapped version.
The file provides updates for the desktop app of Sangfor VPN, which are installed by employees when they are connecting to Sangfor servers and subsequently to their work stations.
According to the researchers, when the employees connect to the infiltrated Sangfor VPN servers, they are given automatic updates to the desktop client. However, in actual sense, they will be receiving the boobytrapped Sangfor.exe file, which subsequently installs a backdoor Trojan on their systems.
Qihoo noted that during its observation, the research team was able to connect the hacking syndicate to the DarkHotel group. From what is known about the hacking group, it operates around the Korean peninsula, but it’s not known whether they are operating from South or North Korea.
DarkHotel has been operating since 2007 and is known as one of the most sophisticated government-backed hacking syndicate.
Google published a report about the group last month. In the report, Google said the hacking syndicate used an enormous amount of zero-day vulnerabilities last year, which is higher than other government-sponsored operations. It seems the group has continued where it stopped last year.
“We are only a few months into the year, but there are already 3 zero-day attacks from DarkHotel, with Sangfor VPN zero-day being the third,” said Qihoo.
The syndicate has also utilized zero-days for the internet explorer and Firefox browsers to attack government institutions in Japan and China.
Qihoo pointed out that the attack on Chinese government agencies may be linked with the recent COVID-19 pandemic. According to the security firm, DarkHotel may be looking for information regarding the strategic plans the Chinese government implemented to handle the outbreak.
DarkHotel’s attack on Chinese government agencies is in line with the group’s recent operation on the World Health Organization (WHO). Two weeks ago, the group struck WHO, the international organization that coordinates the global responsibility for the pandemic.
Patches for the vulnerability are available
Qihoo reiterated that after discovering the attack, it contacted Sangfor on April 3 with details of the attack. Although Sangfor refused to comment on the attacks, it published a report, stating that the only vulnerable servers are the Sangfor servers running firmware versions M6.1 and M6.3R1. The statement revealed that other servers are clean and are not affected by the zero-day used by DarkHotel.
Sangfor revealed that it will have all the patches for the vulnerability ready by tomorrow. Today, the patches for the SSL VPN server will be ready, while other older versions will be available tomorrow.
Furthermore, the company wants to release a script that will delete files installed by DarkHotel. It also plans to release another script to find out whether other VPN servers have been infiltrated by hackers.
