Chinese State-Sponsored Hackers Exploiting Zerologon Vulnerability
Chinese state-sponsored threat actors have been observed exploiting the Zerologon vulnerability in a global campaign targeting businesses from multiple industries in Japan and 17 other regions across the world including the United States and Europe. The attacked industries include engineering, automotive, managed service providers, and pharmaceutical.
According to the information gathered by Symantec’s Broadcom division, these attacks have been attributed to the Cicada group also known as APT10, Cloud Hopper, or Stone Panda.
The attackers are known for their sophistication, in certain cases, they were recorded to have hidden their suspicious acts effectively and remained undetected while operating for around a complete year. Previously, the state-backed actors have stolen data from militaries, businesses, and intelligence, and seemingly, Japanese subsidiaries are their newly found target.
The links between the attacks and Cicada have been drawn based on the similar obfuscation methods and shellcode on loader DLLs to deliver malicious payloads, being used as noticed in the past along with various other similarities like living-off-the-land tools, backdoor QuasarRAT final payloads commonly employed by the hacking group.
“The initial Cloud Analytics alert allowed our threat hunting team to identify further victims of this activity, build a more complete picture of this campaign, and attribute this activity to Cicada,” Symantec said in their report.
“The companies hit are, in the main, large, well-known organizations, many of which have links to Japan or Japanese companies, which is one of the main factors tying the victims together,” the report further read.
In September, Iranian-sponsored hacking group MuddyWater (MERCURY and SeedWorm) was seen to be actively exploiting Zerologon vulnerability. Another hacking group that exploited Zerologon was the financially-motivated TA505 threat group, also known as Chimborazo.
“The affected companies are from manufacturing, construction, and government-related industries, with top victims having around $143 billion, $33 billion and $2 billion yearly revenue,” as per a report published by KELA, an Israel based Cybersecurity organization.
“[M]ore and more threat actors, Advanced APT group and nation-state actors are considering Japanese organizations as valuable targets and are actively attacking them via opportunistic and targeted attacks,” KELA further added.
If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.