Chinese APT10 hackers use Zerologon exploits against Japanese orgs

A Chinese state-sponsored hacking group has been observed while attempting to exploit the Windows Zerologon vulnerability in attacks against Japanese companies and subsidiaries from multiple industry sectors in 17 regions around the globe.

This global cyber-espionage campaign has been attributed to the APT10 state-backed hackers based on information collected by Symantec’s Threat Hunter Team, the Broadcom division that tracked the attacks.

The attacks were discovered by Symantec researchers after the detection of suspicious DLL side-loading activity on a customer’s network.

“The initial Cloud Analytics alert allowed our threat hunting team to identify further victims of this activity, build a more complete picture of this campaign, and attribute this activity to Cicada,” Symantec said.

Campaign victims

The APT10 hackers have been running this campaign for roughly an entire year, from at least mid-October 2019 to the start of October 2020.

In some cases, the APT10 actors remained active and undetected in their victims’ networks for almost an entire year showing that they have the tools and sophistication to effectively hide their malicious activity.

“The companies hit are, in the main, large, well-known organizations, many of which have links to Japan or Japanese companies, which is one of the main factors tying the victims together,” Symantec explained.

While the map embedded below shows that APT10’s attacks also targeted firms within China’s borders, the company was a subsidiary of a Japanese firm just as many of the other targets in this campaign.

Among the info used to attribute the attacks, Symantec’s researchers also mention custom loaders used to deliver malicious payloads on all of the targets’ networks.

They were also seen using similar obfuscation techniques, living-off-the-land tools, and QuasarRAT final payloads (a backdoor commonly used by APT10), as well as coordinated targeting of multiple organizations at the same time.

APT10 attackers were also observed using Zerologon exploits to steal domain credentials and take full control over the entire domain following successful exploitation of vulnerable devices.

This vulnerability was also actively exploited in attacks by Iranian-backed MuddyWater hacking group (aka SeedWorm and MERCURY) starting with the second half of September and by the financially-motivated TA505 (Chimborazo) threat group.

The time spent by the threat actors within compromised networks varied greatly, from a few days to almost an entire year, with activity picking up again after months of complete silence in some cases.

Chinese hackers targeting the Five Eyes

APT10 (also known as Menupass, Stone Panda, Cloud Hopper) has been active since at least 2009 and has historically targeted government organizations and private companies from the United States, Europe, and Japan.

They are known for focusing on stealing military, intelligence, and business information from compromised targets and for frequently focusing their attacks on Japanese entities.

The U.S. Government indicted two APT10 hackers in December 2018, showing that the group successfully compromised NASA’s Jet Propulsion Laboratory, U.S. Government agencies, managed service providers (MSPs) — including IBM and Hewlett Packard Enterprise.

APT1 hackers also breached the U.S. Department of the Navy systems to steal confidential info of over 100,000 individuals.

Following this indictment, all countries in the Five Eyes Intelligence Alliance (the U.S., Canada, the U.K., New Zealand, and Australia) issued statements attributing intellectual property and sensitive commercial data theft to the Chinese APT group.

Takeshi Osuga, Japan’s Foreign Ministry press secretary, also said that “Japan has identified continuous attacks by the group known as APT10 to various domestic targets … and expresses resolute condemnation of such attack.”

Japanese firms are also valuable ransomware targets

At least 11 Japanese companies fell victim to ransomware attacks between June and October 2020 according to a report published today by Israeli cybersecurity intelligence firm, KELA.

“The affected companies are from manufacturing, construction and government-related industries, with top victims having around $143 billion, $33 billion and $2 billion yearly revenue,” KELA said.

Since June 2020, several other Japanese organizations also had their networks compromised, including but not limited to corporations, universities, and an undisclosed Japanese ministry. This access could very easily be used by ransomware gang affiliates to deliver payloads and encrypt systems.

To make matters even worse and to show the risks Japanese orgs from all sectors are facing, KELA also found data belonging to Japanese corporations, government, and educational entities either actively being shared on the dark web or at a high demand.

“More and more threat actors, Advanced APT group and nation-state actors are considering Japanese organizations as valuable targets and are actively attacking them via opportunistic and targeted attacks,” as KELA concludes.

NOTE:: This article is copyright by and we are using it for educational or Information purpose only

The Best  Vulnerable Scanning Solution for 2020 – 2021