Researchers have uncovered a worldwide campaign targeting businesses using the recently-disclosed ZeroLogon vulnerability.
The active cyberattack is thought to be the handiwork of Cicada, also tracked as APT10, Stone Panda, and Cloud Hopper.
Historically, the threat group — first discovered in 2009 and one that the US believes may be sponsored by the Chinese government — has targeted organizations connected to Japan, and this latest attack wave appears to be no different.
Symantec researchers have documented companies and their subsidiaries in 17 regions, involved in automotive, pharmaceutical, engineering, and the managed service provider (MSP) industry, which have been recently targeted by Cicada.
According to the company, Cicada’s latest attack wave has been active since mid-October in 2019 and has continued up to at least October this year.
Cicada appears to be well-resourced and uses a variety of tools and techniques. This includes DLL side-loading, network reconnaissance, credential theft, command-line utilities able to install browser root certificates and decode data, PowerShell scripts, and both RAR archiving and a legitimate cloud hosting provider for the download, packaging, and exfiltration of stolen information.
Of particular note is a recent addition to the hacking group’s toolkit; a tool able to exploit ZeroLogon. Tracked as CVE-2020-1472, issued a CVSS score of 10, and both disclosed and patched by Microsoft in August, the vulnerability can be used to spoof domain controller accounts and hijack domains, as well as compromise Active Directory identity services.
Cicada has also launched Backdoor.Hartip, a custom form of malware not before seen in connection to the APT, against its targets.
It appears that the group is focused on the theft of information and cyberespionage. Data of interest — including corporate records, HR documents, meeting memos, and expense information — is often packaged up and whisked away to Cicada’s command-and-control (C2) servers.
“The amount of time the attackers spent on the networks of victims varied, with the attackers spending a significant amount of time on the networks of some victims, while spending just days on other victim networks,” the researchers say. “In some cases, too, the attackers spent some time on a network but then the activity would cease, but start again some months later.”
The campaign has been assessed with “medium” confidence to Cicada due to clues in how code is obfuscated; the use of DLL side-loading and DLL names including “FuckYouAnti,” which has been previously documented in a Cylance report on the same APT. In addition, the final payload combines QuasarRAT, used in the past by Cicada, as well as Backdoor.Hartip.
“Cicada clearly still has access to a lot of resources and skills to allow it to carry out a sophisticated and wide-ranging campaign like this, so the group remains highly dangerous,” Symantec says. “Its use of a tool to exploit the recently disclosed ZeroLogon vulnerability and a custom backdoor […] show that it continues to evolve its tools and tactics to actively target its victims.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0