The state-sponsored group DarkHotel has been an active thorn in the side of security firms since 2007, not to mention the victims of the group. The group has gone by many names, however, it has been much of the work done by Kaspersky Labs in analyzing the group’s activity that has led to DarkHotel sticking. Now, it would appear that the group has been conducting a massive hacking operation targeting Chinese government agencies across the globe. It is believed attacks began in March, looking to leverage the COVID-19 pandemic as a means to lure victims. Since the pandemic became a global emergency, hackers of all kinds, whether script-kiddies to advanced persistent threat (APT) groups have looked to take advantage of people’s fears regarding the disease. This trend is likely to continue as long as the pandemic rages across borders.
The latest campaign was discovered by Chinese security firm Qihoo 360, who subsequently published their findings in a blog post on April 6. Researchers discovered that the hackers used a zero-day vulnerability in Sangfor SSL VPN servers which is used to provide remote access to enterprise and government networks. Given that approximately 4 billion people are currently living under lockdown conditions due to the pandemic, the use of VPNs has increased as many still look to work remotely. This spike has led many hackers to look for flaws in VPN servers or incorrectly configured VPNs to exploit this spike in use. In practice, a VPN can be seen as a secure communication tunnel that extends a private network across public networks. This connection allows for devices separated by long distances to connect to servers on a company’s private network for example.
The zero-day vulnerability found in Sangfor SSL VPN servers was used to gain control over Sangfor VPN servers, where they replaced a file named SangforUD.exe with a booby-trapped version. The booby-trapped version would install a backdoor trojan onto the now compromised machine, this was done via an automatic update controlled by the attackers.
Researchers discovered that more than 200 VPN servers were successfully hacked in this way, including 174 servers which belong to Chinese government agencies in Beijing and Shanghai, as well as agencies and diplomatic missions around the world. Infected servers were found in: Italy, United Kingdom, Pakistan, Kyrgyzstan, Indonesia, Thailand, UAE, Armenia, North Korea, Israel, Vietnam, Turkey, Malaysia, Iran, Ethiopia, Tajikistan, Afghanistan, Saudi Arabia, India.
Researchers concluded that the entire attack chain was incredibly sophisticated. Given the sophistication of the attack, the given targets, and many of the methods used, namely the use of zero-day flaws, the researchers concluded that the attack could be attributable to DarkHotel. It is commonly believed that DarkHotel operates from somewhere in the Korean peninsula, with some believing the group to be supported by the South Korean government. Despite being active since 2007, much of the group’s activities are still surrounded in mystery with relatively little being known for sure.
Researchers tracking the latest campaign believe may be related to the COVID-19 outbreak and that the aim of the campaign may be to steal information pertaining to how China dealt with the outbreak which started in Wuhan province. Researchers for the Chinese security firm were quick to say most of their beliefs are speculation but they did provide two viewpoints for their belief. From the perspective of the pandemic, researchers noted,
“This time, Darkhotel attacked many Chinese overseas agencies by breaking through VPN services. Is it intended to spy upon China's medical technology and virus-control measures during the epidemic? Is it also possible that, by attacking Chinese overseas agencies, the group real purpose is to grasp the supply transport routes, quantity, and equipment of the quarantine materials that China send to other countries around the world? What’s more, is it aiming at further probing into the medical data of the epidemic in more countries?”
From a second perspective, namely an economic one, researchers noted,
“Another speculation is that, the group may also want to know the relationships between China and other countries by analyzing the political and economic transactions data as well as the economic mitigation measures, so as to further promote the rise of the national economy and balance the interests of various countries after the pandemic?”
The speculation is not purely without merit. On March 23, 2020, Reuters reported on an attack conducted against the World Health Organisation (WHO) which has been linked to DarkHotel. Alexander Urbelis, a cybersecurity expert and attorney with the New York-based Blackstone Law Group, informed Reuter’s journalists of the attack. Urbelis discovered suspicious activity around March 13, when a group of hackers he’d been following activated a malicious site mimicking the WHO’s internal email system. While officials for the WHO admitted that a potential attack did take place they did not attempt to identify the culprits. Urbelis, however, believes that the attack was conducted by BlackHotel.
Further proof lies in the tactics employed by the group. In the past, they have exhibited a fondness for exploiting zero-day flaws. In a report published last month, Google revealed that DarkHotel used up to five zero-day flaws in campaigns conducted in 2019. The group exploited flaws found in Internet Explorer, Chrome, and Windows with phishing emails that carried malicious attachments or links to malicious sites. The group has been known to use flaws in conjunction with watering hole attacks, namely using links to malicious sites under the group's control, to better carry out the group's objectives. In the report Google declined to point the finger at who was responsible, but speaking to Wired Kaspersky was of the opinion it was indeed DarkHotel who was responsible for the multiple campaigns documented in the Google report. The article then went on to state,
“Within hours of Google linking the zero-day vulnerabilities to attacks targeting North Koreans, Kaspersky was able to match two of the vulnerabilities—one in Windows, one in Internet Explorer—with those it has specifically tied to DarkHotel. The security firm had previously seen those bugs exploited to plant known DarkHotel malware on their customers' computers. (Those DarkHotel-linked attacks occurred before Microsoft patched its flaws, Kaspersky says, suggesting that DarkHotel wasn't merely reusing another group's vulnerabilities.) Since Google attributed all five zero-days to a single hacker group, "it’s quite likely that all of them are related to DarkHotel," says Costin Raiu, the head of Kaspersky's Global Research & Analysis Team…Raiu points out that DarkHotel has a long history of hacking North Korean and Chinese victims, with a focus on espionage. "They're interested in getting information such as documents, emails, pretty much any bit of data they can from these targets," he adds. Raiu declined to speculate on what country's government might be behind the group. But DarkHotel is widely suspected of working on behalf of the South Korean government, and the Council on Foreign Relations names DarkHotel's suspected state sponsor as the Republic of Korea.”
DarkHotel attacks were again detected earlier this year which leveraged zero-days found in both Firefox and Internet Explorer. In these campaigns, targets were found in China and Japan. The actual deployment of zero-days is beyond the scope of many hackers as it often requires code built from the ground up, hackers reliant on malware from underground forums will only be able to access such code when leaked. For most state-sponsored groups, the last thing they need is there code and resources leaked as this could make it easier for organizations to defend against in the future.
VPN Patches Available
It is important to note that there are patches available with more to be released imminently. Sangfor made the announcement via a WeChat post. Further, the company also plans to release a script to detect if hackers have compromised VPN servers, and a second tool to removes files deployed by DarkHotel. Qihoo 360 has also provided a list of mitigations to further prevent other organizations from falling victim. They recommend that:
- The administrator should refer to the manufacturer's guidance to update their VPN server system to the latest version and install security patches.
- Restrict access to the VPN server's 4430 management console port from any external network or untrusted IP to block attacks against the VPN server.
- Strengthen the account protection by using strong passwords with a higher security level to prevent the administrator’s password from brute cracking.
- VPN users should avoid using EasyConnect to connect to untrusted VPN servers.
- VPN users are recommended to use 360SecurityGuard to fully scan all disks and enable real-time protection against attacks of this vulnerability.