Qihoo 360 experts talked about a large-scale hacker operationaimed at Chinese government agencies and their employees. The attacks began last month and, according to researchers, they are associated with the coronavirus pandemic.
According to experts, hackers exploit the zero-day vulnerability in Sangfor SSL VPN servers, which are used to provide remote access to corporate and government networks. Only Sangfor VPN servers with firmware versions M6.3R1 and M6.1 are vulnerable.
In total, Qihoo 360 managed to detect more than 200 hacked VPN servers, 174 of which were located in the networks of government agencies in Beijing and Shanghai, as well as in the networks of Chinese diplomatic missions operating abroad, in countries such as Italy, the UK, Pakistan, Kyrgyzstan, Indonesia, Thailand, the United Arab Emirates, Armenia, North Korea, Israel, Vietnam, Turkey, Malaysia, Iran, Ethiopia, Tajikistan, Afghanistan, Saudi Arabia, India.
Researchers call this campaign sophisticated and highly intelligent. Attackers used a 0-day vulnerability to take control of Sangfor VPN servers, where they then replaced the SangforUD.exe file with a malicious version. This file is an update to the Sangfor VPN desktop application, which employees install on their computers to connect to Sangfor VPN servers and, in fact, to their work networks.
When users connected to the hacked Sangfor VPN servers, they were offered to install automatic updates for the client, but instead they received a malicious SangforUD.exe file, which later installed a backdoor on their devices.
According to analysts, the Korean hack band DarkHotel, which has existed since at least 2007, is behind this company. Let me remind you that information security experts, in particular, associate this group with the Dark Seoul malware, which, in turn, is associated with the acclaimed Operation Blockbuster: a large-scale attack on Sony, the responsibility of which lies with North Korea.
Exploiting the zero-day vulnerability in Sangfor VPN, this is the third 0-day used by DarkHotel in 2020. Earlier this year, the group exploited zero-day issues in browsers. Firefox and Internet Explorer, attacking government organizations in China and Japan.
Qihoo 360 researchers write that new attacks on government agencies in China could be linked to the coronavirus pandemic. So, probably, DarkHotel is trying to figure out how the Chinese government dealt with the epidemic. The fact is that two weeks ago the agency Reuters reported that DarkHotel also attacks the World Health Organization.
Sangfor VPN developers promise to release firmware updates and patches for 0-day vulnerabilities in the coming days. The company also plans to publish a special script to detect hacking VPN servers and a second tool to remove the consequences of DarkHotel attacks.