A suspected cyberespionage group with links to China has been credited with attacks targeting major IT business-to-business service providers in southern Europe in a campaign codenamed Operation Digital Eye..
Cyber security companies SentinelOne SentinelLabs and Tinexta Cyber said in a joint report shared by The Hacker News that the intrusions took place between late June and mid-July 2024, adding that the activities were detected and neutralized before they could move to the phase data theft.
“The intrusions could have given adversaries the opportunity to establish strategic footholds and compromise downstream actors,” security researchers Alexander Milenkoski and Luigi Martire said.
“Threat actors abused the infrastructure of Visual Studio Code and Microsoft Azure for C2 (command and control) purposes in an attempt to avoid detection by making malicious activities look legitimate.”
It is currently unknown which China-linked hacker group is behind the attacks, an aspect complicated by the wide array of tools and infrastructure used by threat actors linked to the East Asian country.
Central to Operation Digital Eye is the use of Microsoft Visual Studio Code Remote tunnels for C2, a legitimate feature that provides remote access to endpoints, allowing attackers to execute arbitrary commands and manipulate files.
Part of the reason government-backed hackers use such public cloud infrastructure is that their activities blend in with the typical traffic seen by network defenders. Additionally, such activity uses legitimate executables that are not blocked by application controls and firewall rules.
The attack chains observed by the companies entail exploits SQL injection as the initial access vector for hacking Internet applications and database servers. Code injection is done using a legitimate penetration testing tool called SQLmap which automates the process of detecting and exploiting SQL injection vulnerabilities.
A successful attack is followed by the deployment of a PHP-based web shell called PHPsert, which allows threat actors to maintain a foothold and establish persistent remote access. Subsequent steps include reconnaissance, credential collection, and lateral movement to other systems on the network using Remote Desktop Protocol (RDP) and hash transfer techniques.
“They used a custom modified version of Mimikatz for the hash transfer attacks,” the researchers said. The tool “allows processes to run in the user’s security context using a compromised NTLM password hash, bypassing the need for the user’s actual password.”
Significant source code matches suggest that the special tool comes from the same source as those seen exclusively in suspected Chinese espionage activities such as Operation Soft Cell and Operation Tainted Love. These custom modifications of Mimikatz, which also include shared code signing certificates and the use of unique custom error messages or obfuscation techniques, are collectively known as mimCN.
“The long-term evolution and versioning of mimCN patterns, along with notable features such as instructions left to a separate team of operators, suggest the involvement of a common vendor or digital steward responsible for active maintenance and tooling,” the researchers note. noted.
“This is a feature in the Chinese APT ecosystem, confirmed I-Quick leaklikely to play a key role in facilitating China-linked cyberespionage operations.”
Also of note is the reliance on SSH and Visual Studio Code Remote Tunnels for remote command execution, with attackers using GitHub accounts to authentication and tunnel connection to access the compromised endpoint through the browser version of Visual Studio Code (“vscode(.)dev”).
However, it is not known whether the threat actors used newly registered or already compromised GitHub accounts to authenticate to the tunnels.
Besides mimCN, some other aspects that point to China are the presence of simplified Chinese comments in PHPsert, infrastructure use provided by Romanian hosting provider M247, and using Visual Studio Code as a backdoor, the latter of which was attributed to Mustang Panda an actor.
In addition, the investigation revealed that the operators were mostly active on the target organizations’ networks during normal business hours in China, mostly between 9am and 9pm CST.
“The company highlights the strategic nature of this threat, as attackers who provide data, infrastructure and cybersecurity solutions to other industries give attackers a foothold in the digital supply chain, allowing them to extend their reach to downstream actors,” — note the researchers. said.
“This campaign’s abuse of Visual Studio Code Remote Tunnels shows how Chinese APT groups often rely on hands-on, solution-oriented approaches to avoid detection. By using robust development tools and infrastructure, threat actors sought to disguise their malicious activities as legitimate. .”
