A persistent, large-scale campaign of cyberattacks (opens in new tab) has been identified targeting organizations with connections to Japan.
Symantec researchers have uncovered the campaign, which uses the recently discovered ZeroLogon (opens in new tab) vulnerability, connecting it to exploits against companies based in the industrial, automotive, pharmaceutical and engineering sectors.
The latest wave of attacks has been ongoing since at least the middle of October 2019, only concluding last month. The companies targeted are all well-known entities, many with ties to Japan, which fits the modus operandi of this group. APT10 has been known to target Japanese firms during previous attack campaigns.
- Here's our roundup of the best endpoint protection tools (opens in new tab)
- Check out the best DDoS protection solutions (opens in new tab)
- Also, here's our list of the best antivirus software (opens in new tab) available
“The scale and sophistication of this attack campaign indicates that it is the work of a large and well-resourced group, with Symantec, a division of Broadcom, discovering enough evidence to attribute it to Cicada (aka APT10, Stone Panda, Cloud Hopper),” the Symantec Threat Hunter team explained (opens in new tab). “Cicada has been involved in espionage-type operations since 2009, and US government officials have linked the activities of APT10, which we track as Cicada, to the Chinese government.”
A range of tactics
Symantec found that the AP10 group employed a range of tools in the campaign, including network reconnaissance, credential theft, PowerShell scripts and RAR archiving. DLL side-loading was also used to inject a form of custom malware, dubbed ‘Backdoor.Hartip’.
Notably, APT10 was also found to be targeting the ZeroLogon vulnerability. Although a patch was issued for this security flaw back in August, vulnerable devices remain at risk. Previously, the bug has been used by attackers to spoof domain controller accounts, steal domain credentials and compromise all Active Directory identity services.
It appears that the attackers’ main aim was the theft of information. Japanese organizations, in particular, should remain vigilant, particularly as ATP10 clearly has substantial resources at its disposal to carry out further attacks.
- We've also highlighted the best malware removal services (opens in new tab)
Via ZDNet (opens in new tab)