Hackers Target Chinese Government Agencies Via VPNs: ReportZero-Day Vulnerabilities in VPN Servers Exploited, Quihoo 360 Reports
Hackers are targeting Chinese government agencies and their employees by taking advantage of zero-day vulnerabilities in VPN servers to plant backdoors and other malware, researchers at the Chinese security firm Qihoo 360 report.
See Also: The Anatomy of the Solarwinds Attack
This ongoing campaign appears to have started in March, the researchers say. The hackers are probing for security weaknesses as government workers in China work remotely and rely on VPNs during the COVID-19 pandemic, they say.
The hackers are exploiting a zero-day vulnerability in Sangfor SSL VPN servers, according to the researchers’ report. The attackers then attempt to plant a backdoor on devices belonging to government workers, the report notes.
The researchers have found that, so far, the hackers have targeted about 200 Sangfor SSL VPN servers. Some of the vulnerable servers are located in Chinese government agencies within the country, but the campaign has also targeted China's diplomatic missions abroad, the report says.
The Qihoo 360 researchers speculate that the hackers may be trying to gain insight into China's response to the COVID-19 pandemic.
"Is it also possible that, by attacking Chinese overseas agencies, the group's real purpose is to grasp the supply transport routes, quantity and equipment of the quarantine materials that China sends to other countries around the world" the report notes.
The Qihoo 360 report does not describe the zero-day exploit that the hackers are using. But it notes that this flaw allows the attackers to replace a specific file within the Sangfor SSL VPN servers - called SangforUD.exe - with a similar file that they control.
The legitimate file is used as part of the update process for devices using the Sangfor SSL VPN. As part of this hacking campaign, however, when employees attempt to log into a VPN controlled by the hackers, it prompts them for an update. During the process, the false SangforUD.exe file is installed, which then downloads a backdoor onto the infected device, according to the report.
"The attacker imitated the signature of legitimate program to disguise the backdoor and it is hard for a common user to distinguish," the report notes.
The backdoor then communicates with a command-and-control server and begins uploading information about the devices, including the hardware and software it uses, the researchers say.
APT Group Involved?
The Qihoo 360 researchers note that they believe these attacks are the work of an advanced persistent threat group called DarkHotel, which has been active since at least 2007 (see: Microsoft Warns of Zero-Day Internet Explorer Exploits). DarkHotel has been tied to cyberespionage campaigns that have targeted corporate executives, government agencies, defense industry suppliers, technology firms and others in East Asian countries, according to security researchers.
In March, the World Health Organization was allegedly targeted by the DarkHotel group, although that hacking attempt was believed to be unsuccessful, Reuters reports (see: Hackers Targeted World Health Organization).
On Twitter, Brian Bartholomew, a researcher with the security firm Kaspersky, contends that the Qihoo 360 report lacks enough evidence to tie these attacks in China to any one group.
I’m going to be a bit blunt here. This write up is full of speculation, no evidence this was actually DatkHotel, and a ton of confirmation bias about targeting because of Covid. Not saying they’re wrong, but in the future, there needs to be more supporting data to support claims https://t.co/2K1ajklUwp— Brian Bartholomew (@Mao_Ware) April 6, 2020