Chinese state-sponsored attackers are exploiting the Zerologon vulnerability in a global campaign targeting businesses.
According to security firm, Symantec, the Cicada group aka APT10, Stone Panda or Cloud Hopper is targeting Japanese companies and their subsidiaries in 17 countries with information-stealing attacks. The targeted sectors include automotive, pharmaceutical, engineering and managed service providers (MSPs).
It is believed that the current campaign has been ongoing since October 2019, with attackers maintaining persistence on some of their victims’ networks for a year while for others the attacks lasted just days.
Symantec became aware of the campaign when they noticed suspicious DLL side-loading activity on one of its customer’s networks. The technique was used by APT10 during multiple stages of attacks to load malware into legitimate processes.
The hackers used other techniques such as “living off the land” via legitimate Windows functions like PowerShell, dual use and publicly available tools like WMIExec, and custom malware like the newly discovered Backdoor.Hartip.
The group was found to be exploiting the Zerologon elevation-of-privilege bug which has been tracked as CVE-2020-1472, patched back in August, to remotely hijack a domain to compromise all Active Directory identity services.
Usually, the motive of the attackers include intelligence gathering and stealing information. The data of interest includes corporate records, HR documents, meeting memos, and expense information.