A security firm claims that the Chinese government is sponsoring a hacking group way back in 2019. The cybercriminals are allegedly exploiting ZeroLogon vulnerability in automotive, pharmaceutical, and industrial attack waves.(Photo : Photo by Sean Gallup/Getty Images)
A participant sits with a laptop computer as he attends the annual Chaos Communication Congress of the Chaos Computer Club at the Berlin Congress Center on December 28, 2010 in Berlin, Germany. The Chaos Computer Club is Europe’s biggest network of computer hackers and its annual congress draws up to 3,000 participants.
ZDNet reported that the hacking group is working on a massive campaign, targeting pharmaceutical, engineering, and automotive entities across the globe. The massive attack is already targeting some businesses using the recently-disclosed security vulnerability.
According to Bleeping Computer‘s latest report, several Japanese companies and subsidiaries from multiple industry sectors in 17 regions across the world are also targeted.
Cicada hacking group
Symantec claimed that the global cyberattack campaign is done by the Cicada group, also known as Stone Panda, APT10, or Cloud Hopper. The threat group was first identified in 2009.(Photo : Photo by Adam Berry/Getty Images)
A participant looks at lines of code on a laptop on the first day of the 28th Chaos Communication Congress (28C3) – Behind Enemy Lines computer hacker conference on December 27, 2011 in Berlin, Germany. The Chaos Computer Club is Europe’s biggest network of computer hackers and its annual congress draws up to 3,000 participants.
The United States also claimed that the hackers are supported by the Chinese government. Symantec security researchers said that Cicada’s most recent attack wave has been ongoing since mid-October in 2019.
The massive campaign is believed to be active at least this October of 2020. Cicada was reportedly using a variety of techniques and tools to conduct cyber attacks. Since the group is well-resourced, it is able to continue its hacking campaign for almost a year.
Cicada’s strategies and techniques
Cicada or APT10 is using different methods to exploit its ZeroLogon vulnerability. These include network reconnaissance, command-line utilities, PowerShell scripts, DLL side-loading, credential theft, and both RAR archiving.
A legitimate cloud hosting provider is also included. It helps the hacking group regarding packaging, downloading, and exfiltrating stolen data from different companies.
Cicada uses a toolkit called CVE-2020-1472. This utility issued a CVSS score of 10 and was patched by Microsoft in August. On the other hand, the ZeroLogon vulnerability allows the hackers to hijack domains and spoof domain controller accounts, as well as breach Active Directory identity services.
Aside from the ZeroLogon, the international hacking group also launched Backdoor.Hartip, a new custom malware, which is not yet seen in connection to the APT10 group. This vulnerability is also designed to targets top businesses in different countries.
Symantec also suggested that the cyber criminals are focused on the cyberespionage and theft of sensitive company data. These include HR documents, meeting demos, expensive information, and corporate records.