Chinese Hackers Exploit Zerologon Flaw for CyberespionageResearchers: 'Cicada' Campaign Targeting Japanese Companies
The Chinese hacking group "Cicada" is exploiting the critical Zerologon vulnerability in Windows Server as part of a cyberespionage campaign that’s mainly targeting Japanese companies, according to the security firm Symantec, a division of Broadcom.
The campaign, which began in October 2019 and is ongoing, has targeted Japanese firms and their subsidiaries in 17 locations across the world, Symantec notes in its report. The focus of the campaign is to exfiltrate data, particularly from automotive organizations, as part of an industrial cyberespionage effort.
The Symantec report, however, notes that other industries have been targeted by this advanced persistent threat group.
"Companies in multiple sectors are targeted in this campaign, including those operating in the pharmaceutical and engineering sectors, as well as managed service providers," the report notes. "The scale and sophistication of this attack campaign indicate that it is the work of a large and well-resourced group, with Symantec discovering enough evidence to attribute it to Cicada."
Cicada, also known as APT10, Stone Panda, and Cloud Hopper, is linked to China's Ministry of State Security. The group, which has been active since 2009, has long been targeting Japanese organizations for cyberespionage, Symantec notes.
Members of this hacking group were also recently sanctioned by the European Council for campaigns that took place within EU member states (see: EU Issues First Sanctions for Cyberattacks).
In December 2018, the U.S. Justice Department unsealed an indictment against two alleged Cicada members for their roles in hacking the networks of 45 technology companies and U.S. government agencies (see: 2 Chinese Nationals Indicted for Cyber Espionage).
The Symantec researchers note that they were able to link the latest attacks to the group based on the campaign’s use of malware components and tactics similar to those used during previous campaigns.
"The scale of the operations also points to a group of Cicada's size and capabilities,” the report notes. “The targeting of multiple large organizations in different geographies at the same time would require a lot of resources and skills that are generally only seen in nation-state backed groups. The link all the victims have to Japan also points towards Cicada, which has been known to target Japanese organizations in the past."
In the latest campaign, however, the APT group is using a previously unseen custom malware variant called Backdoor.Hartup as well as living-off-the-land tools to target the victims, Symantec says.
Once the victim’s network is compromised, the hackers remain active on them up to a year to exfiltrate data, the report says. Cicada then uses a Dynamic Link Library side-loading technique to compromise the victims' domain controllers and file servers.
The attackers then use publicly available tools to perform network reconnaissance, steal credentials and exfiltrate data from a victim’s systems, Symantec adds. In one of these attacks, the hackers archived the victim's folders, which included the organization's folders relating to human resources, audit and expense data, and meeting memos.
Adding yet a new twist to their techniques, Cicada is now exploiting Zerologon, a critical vulnerability in Windows Server first disclosed in August, when Microsoft rushed out a temporary emergency patch. A longer-term fix is in the works.
Zerologon, tracked as CVE-2020-1472, affects Windows Server's Netlogon Remote Protocol - or MS-NRPC - an authentication component of Active Directory that organizations deploy to manage user accounts, including authentication and access, according to Microsoft's initial alert about the bug.
Because of the severity of the flaw, which has been given a CVSS score of 10 - the most critical - Microsoft and government agencies around the world have warned organizations to immediately patch the bug (see: Microsoft Issues Updated Patching Directions for 'Zerologon').
In October, the U.S. Cybersecurity and Infrastructure Security Agency warned that hackers are chaining together the Zerologon bug with other flaws to target government networks. Earlier, Microsoft warned that an Iranian APT group attempted to exploit the unpatched Zerologon vulnerabilities (see: Iranian Hackers Exploiting 'Zerologon' Flaw).
The Symantec report notes Cicada’s ability to modify its tools and techniques to exploit the Zerologon vulnerability should serve as a warning sign to organizations that have not patched the vulnerability.
"Cicada clearly still has access to a lot of resources and skills to allow it to carry out a sophisticated and wide-ranging campaign like this, so the group remains highly dangerous," Symantec notes. "Its use of a tool to exploit the recently disclosed ZeroLogon vulnerability and a custom backdoor that has not been observed by Symantec before show that it continues to evolve its tools and tactics to actively target its victims."