A persistent, large-scale campaign of cyberattacks has been identified targeting organizations with connections to Japan.
Symantec researchers have uncovered the campaign, which uses the recently discovered ZeroLogon vulnerability, connecting it to exploits against companies based in the industrial, automotive, pharmaceutical and engineering sectors.
The latest wave of attacks has been ongoing since at least the middle of October 2019, only concluding last month. The companies targeted are all well-known entities, many with ties to Japan, which fits the modus operandi of this group. APT10 has been known to target Japanese firms during previous attack campaigns.
- Here's our roundup of the best endpoint protection tools
- Check out the best DDoS protection solutions
- Also, here's our list of the best antivirus software available
“The scale and sophistication of this attack campaign indicates that it is the work of a large and well-resourced group, with Symantec, a division of Broadcom, discovering enough evidence to attribute it to Cicada (aka APT10, Stone Panda, Cloud Hopper),” the Symantec Threat Hunter team explained. “Cicada has been involved in espionage-type operations since 2009, and US government officials have linked the activities of APT10, which we track as Cicada, to the Chinese government.”
A range of tactics
Symantec found that the AP10 group employed a range of tools in the campaign, including network reconnaissance, credential theft, PowerShell scripts and RAR archiving. DLL side-loading was also used to inject a form of custom malware, dubbed ‘Backdoor.Hartip’.
Notably, APT10 was also found to be targeting the ZeroLogon vulnerability. Although a patch was issued for this security flaw back in August, vulnerable devices remain at risk. Previously, the bug has been used by attackers to spoof domain controller accounts, steal domain credentials and compromise all Active Directory identity services.
It appears that the attackers’ main aim was the theft of information. Japanese organizations, in particular, should remain vigilant, particularly as ATP10 clearly has substantial resources at its disposal to carry out further attacks.
- We've also highlighted the best malware removal services