US, WASHINGTON (ORDO NEWS) — Chinese agencies and diplomatic missions have been targeted by hackers using virtual private network (VPN) servers as part of a coordinated cyber espionage campaign, while many governments and organizations have become vulnerable to security breaches due to remote work in a pandemic.
According to the Qihoo 360 report, both Chinese departments and diplomatic missions in countries such as Italy, the UK, North Korea and Thailand were hacked. The report said that the hacker group DarkHotel, based in East Asia, was involved in the attacks.
The group is also suspected of cyber attacks against the World Health Organization (WHO), as officials and cybersecurity experts warn that hackers of all stripes seek to capitalize on international concerns about the spread of coronavirus, the agency said in a report. Reuters .
According to experts from Qihoo 360, the criminals exploited a zero-day vulnerability in Sangfor SSL VPN servers to gain remote access to corporate and government networks.
“Since March this year, more than 200 VPN servers have been hacked, and many Chinese institutions abroad have been attacked. In early April, the attack spread to government agencies in Beijing and Shanghai,” said a report from Qihoo 360, China’s largest antivirus provider.
Experts found that 174 servers were located in networks of Chinese diplomatic missions operating in countries such as Italy, the UK, Pakistan, Kyrgyzstan, Indonesia, Thailand, the UAE, Armenia, North Korea, Israel, Vietnam, Turkey, Malaysia, Iran, Ethiopia , Tajikistan, Afghanistan, Saudi Arabia and India.
A spokeswoman for the Chinese Foreign Ministry said he had no information regarding these attacks. WHO did not immediately respond to a request for comment.
Attacks occur at a time when many governments and corporations are asking employees to work at home to prevent the spread of the new coronavirus. “Especially in this global fight against the coronavirus pandemic, VPN plays an indispensable and important role in organizing remote communication between enterprises and government agencies,” Qihoo 360 experts write. “After VPNs fall under the control of intruders, the internal assets of many enterprises and institutions fall into social networks, and losses will be immeasurable.”
DarkHotel is a group of elite hackers who have been conducting cyber espionage operations since at least 2007. Cybersecurity firms have tracked many of DarkHotel’s operations in East Asia, targeting government officials and company executives in countries such as China, North Korea, Japan, and the United States.
A Qihoo 360 report said the group could have attacked Chinese institutions in order to obtain pandemic-related information.
“Until we see confirmation from a third party. This should happen in the next few days,” commented Mark Webb-Johnson, co-founder and chief technical officer of Network Box security services provider. “At the moment, this is the opinion of one company. However, I do not see any evidence that would challenge its credibility.”
According to Brian Bartholomew, a researcher at the Kapersky Lab antivirus company, the Qihoo 360 report is full of speculation, and therefore more data is needed to support the hypotheses put forward.
Using the VPN vulnerability from SangFor Technologies, attackers replaced the SangforUD.exe file with an infected version. This file is an update to the Sangfor VPN desktop application that employees install on their computers to connect to Sangfor VPN servers. When workers connected to the hacked Sangfor VPN servers, they were provided with an automatic update for their desktop client containing a malicious file that was later installed on the backdoor devices.
On Tuesday, SangFor, based in Shenzhen, confirmed the fact of compromise and issued the necessary fix. The company also plans to release a script to detect hacking of VPN servers by criminals and a tool to delete files deployed by DarkHotel.
“We sincerely apologize for the backdoors being detected in the security system,” the SangFor report said. “The company has launched a comprehensive review of existing products and will conduct more stringent verification tests.”
Contact us: firstname.lastname@example.org