Source: Araki Illustrations via Alamy Stock Photo
Chinese hackers almost breached critical European supply chain companies by disguising their malicious activities behind native Microsoft technologies.
It happened during a three-week period, from late June to July, according to researchers from SentinelLabs. A threat actor tied to China's diverse and thriving cyberattack scene targeted large business-to-business (B2B) IT service providers throughout southern Europe, such as cybersecurity vendors and data and infrastructure solutions providers, with the presumed goal of downstream supply chain espionage.
To penetrate these IT vendors — and, presumably, the many clients across the continent to which they enjoy privileged access — the attackers masked their malicious activity behind everyday business tools like Visual Studio Code and Microsoft Azure. And to confuse attribution, they used the same tactics, techniques, procedures (TTPs), and tooling observed across a number of other known Chinese threat actors.
Malware via Microsoft
Infections in the campaign, which researchers dubbed "Operation Digital Eye," began with SQL injections against vulnerable, Internet-facing Web and database servers. Then the attackers dropped PHP Web shells, using filenames specially tailored to the target's environment in order to avoid raising any suspicion. Reconnaissance, lateral movement, and credentials theft followed.
The highlight of the attacks, though, came innocuously packaged as "code.exe." Digitally signed by Microsoft and run as a service using the Windows Service Wrapper, the attackers brought to each of their victims their own portable copy of the Visual Studio Code (VS Code). VS Code is a free, open source editor developed by Microsoft, by far the most popular integrated development environment (IDE) among both new and seasoned developers.
VS Code has also become a proven weapon of Chinese threat actors as of late, thanks to its Remote Tunnels feature. Remote Tunnels is designed to allow developers to access and work on code on remote machines. In a different light, though, it's a perfect malicious payload, enabling command execution and file editing on remote systems in the context of a seemingly innocuous Microsoft program. The attackers behind Operation Digital Eye intended to use VS Code to maintain persistent backdoor access to victims, using innocuous file and service names and storing it in the Temp folder to further blend in with victims' normal business operations.
Tunneling with VS Code isn't quite as simple as loading malware onto a victim's machine, though — it requires a GitHub account and connection with an Azure server. Researchers aren't sure whether the attackers used stolen GitHub and Azure credentials, or registered their own accounts.
What is clear is that they turned this potential roadblock into an advantage, leveraging public cloud infrastructure in Western Europe to make their otherwise suspicious traffic look more legitimate, and more likely to evade notice by security tools. VS Code and Azure network traffic tends to avoid close scrutiny, the researchers noted, and are commonly allowed by application controls and firewall rules. "Combined with the full endpoint access it provides, this makes Visual Studio Code tunneling an attractive and powerful capability for threat actors to exploit," they wrote.
The Trouble in Attributing Chinese Attackers
The actual malware used in Operation Digital Eye did less to clarify than to confuse who, exactly, was behind the attacks.
The most notable tool in the mix, "bK2o.exe," is a modified version of the open source credential stealing tool Mimikatz, designed for pass-the-hash attacks. Its aim is to snag a New Technology LAN Manager (NTLM) hash, in lieu of the targeted user's actual password, to enable the further execution of processes within the user's security context.
BK2o.exe is just one among many Mimikatz variants deployed by several Chinese advanced persistent threats (APTs). Related variants have been observed in Operations Soft Cell and Tainted Love, associated with groups like APT41 and APT10. Researchers from SentinelLabs concluded that there is likely a shared vendor supplying many groups at once, as evidenced by the recent case of iSoon. "This function within the Chinese APT ecosystem likely plays a key role in facilitating China-nexus cyber-espionage operations," SentinelLabs noted.