DarkHotel hackers use VPN zero-day to breach Chinese government agencies

silversurfer

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,174
Content source
https://www.zdnet.com/article/darkhotel-hackers-use-vpn-zero-day-to-compromise-chinese-government-agencies/
Foreign state-sponsored hackers have launched a massive hacking operation aimed at Chinese government agencies and their employees.

Attacks began last month, in March, and are believed to be related to the current coronavirus (COVID-19) outbreak.

Chinese security-firm Qihoo 360, which detected the intrusions, said the hackers used a zero-day vulnerability in Sangfor SSL VPN servers, used to provide remote access to enterprise and government networks.

Qihoo said it discovered more than 200 VPN servers that have been hacked in this campaign. The security firm said that 174 of these servers were located on the networks of government agencies in Beijing and Shanghai, and the networks of Chinese diplomatic missions operating abroad, in countries such as:

Italy, United Kingdom, Pakistan, Kyrgyzstan, Indonesia, Thailand, UAE, Armenia, North Korea, Israel, Vietnam, Turkey, Malaysia, Iran, Ethiopia, Tajikistan, Afghanistan, Saudi Arabia, India.
Click to expand...
In a report published today, Qihoo researchers said the entire attack chain was sophisticated and very clever. Hackers used the zero-day to gain control over Sangfor VPN servers, where they replaced a file named SangforUD.exe with a boobytrapped version.

This file is an update for the Sangfor VPN desktop app, which employees install on their computers to connect to Sangfor VPN servers (and inherently to their work networks).

Qihoo researchers said that when workers connected to hacked Sangfor VPN servers, they were provided with an automatic update for their desktop client, but received the boobytrapped SangforUD.exe file, which later installed a backdoor trojan on their devices.

The Chinese security firm said it tracked the attacks to a hacker group known as DarkHotel. The group is believed to operate out of the Korean peninsula, although it is yet unknown if they are based in North or South Korea.
Click to expand...
 
  • Like
  • +Reputation
Reactions: Protomartyr, SeriousHoax, stefanos and 7 others
Antus67

Antus67

Level 9
Verified
Well-known
Nov 3, 2019
413
The DarkHotel hacking group has reportedly struck again

1586211904154.png


As governments around the world continue to deal with the coronavirus pandemic, a hacking group with potential ties to South Korea has launched an espionage campaign against the Chinese government.

The DarkHotel advanced persistent threat group has compromised over 200 VPN servers in order to infiltrate a number of Chinese institutions and government agencies, according to a new report from Qihoo 360.

In one case, the hacking group exploited a previously unknown vulnerability in the enterprise VPN software Sangfor SSL and then installed malicious software onto victim's machines in order to collect user data


The timing of the attack also coincided with new instructions from the Chinese government which urged citizens to work from home in order to help stop the coronavirus' spread.

arkHotel hacking group
While Qihoo 360 believes that the DarkHotel hacking group was behind this latest series of attacks, other security researchers aren't so sure. In a post on Twitter, principal security researcher at Kaspersky, Brian Bartholomew argued that the Beijing-based security firm did not provide the necessary evidence to tie DarkHotel to these attacks, saying:

“I’m going to be a bit blunt here. This write up is full of speculation, no evidence this was actually DatkHotel, and a ton of confirmation bias about targeting because of Covid. Not saying they’re wrong, but in the future, there needs to be more supporting data to support claims.”


VPN services are helping to keep remote workers all over the world secure as they work from home during the coronavirus pandemic which is why we've seen an increased number of attacks targeting them. In its report, Qihoo 360 explained that VPNs are vital to Chinese businesses during this trying time, saying:


“Imagine it, with the spreads of the coronavirus pandemic, Chinese enterprises and institutions abroad have all adopted the remote working mode and employees in each unit will establish contact with the headquarters and transfer all sensitive data through the VPN. If the VPN server is compromised at this moment, the consequences will be unimaginable.”

Whether or not DarkHotel is behind this latest series of attacks still remains to be proven but hopefully other security researchers will now begin to look into the matter to see if Qihoo 360's claims are true.
 
  • Like
Reactions: Gandalf_The_Grey, Stopspying, harlan4096 and 2 others
You must log in or register to reply here.

Similar threads

vtqhtr413
    • Wow
    • +Reputation
    • Like
Security News Chinese 'Earth Krahang' hackers breach 70 orgs in 23 countries
Replies
0
Views
815
Security News
vtqhtr413
vtqhtr413
vtqhtr413
    • Like
Zero Trust Implementation for Government Agencies
Replies
0
Views
947
News Archive
vtqhtr413
vtqhtr413
MuzzMelbourne
    • Like
    • +Reputation
    • Applause
Chinese Hackers Use HTML Smuggling to Infiltrate European Ministries with PlugX
Replies
11
Views
1,653
News Archive
Andy Ful
Andy Ful

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top