Citrix and LogMeIn remote-access software abused to mount attack on MSP
Victims include an international apparel company, a US law firm with clients across the pharmaceutical, tech, biomedical, and automotive industries, and Visma, a major European managed service provider (MSP).
The campaigns were designed to steal intellectual property and create launchpads for attacks on third parties associated with the victims, according to researchers at Recorded Future and Rapid7, who teamed up on the research.
The three attacks were carried out by the same hacking crew but were otherwise separate, Recorded Future told The Daily Swig.
“Based on our visibility and the data available, we believe the three attacks took place independently,” Recorded Future explained. “There is no data to suggest the attackers’ access to Visma enabled them to target the two other companies.
“Also, chronologically, Visma was the third victim in this particular campaign which shared technical characteristics with the other two intrusions.”
By targeting MSPs, hackers are exploiting the trust that companies place in their security providers.
The tactic highlights how reliance on third party services – almost unavoidable given greater reliance on cloud-based services among other trends – can expose organizations to additional security risks.
The overall campaign targeting Visma, the retailer, and US law firm ran from November 2017 to September 2018.
“In all three incidents, the attackers gained access to networks through deployments of Citrix and LogMeIn remote-access software using stolen valid user credentials,” according to the security researchers
“The attackers then enumerated access and conducted privilege escalation on the victim networks, utilizing DLL side-loading techniques documented in a US-CERT alert on APT10 to deliver malware.”
During the Visma intrusion, APT10 hackers deployed their Trochilus malware.
A unique version of the UPPERCUT (ANEL) backdoor, known to have been exclusively used by APT10, aka Stone Panda, featured in the other two attacks.
“APT10 likely compromised Visma with the primary goal of enabling secondary intrusions onto their client networks, and not of stealing Visma intellectual property,” according to Recorded Future.
In all three incidents, APT10 actors used previously acquired legitimate credentials, likely gained via a third-party supply chain compromise.
Stolen data was siphoned off through Dropbox, which was unwittingly abused as a drop site, using the cURL for Windows command-line tool to exfiltrate (compressed using WinRAR) stolen data.
Recorded Future analyzed an intrusion into one of its client’s networks and collaborated with Rapid7 to clarify the scope, before concluding that APT10 was behind the campaign.
This assessment was made after an analysis of data acquired from targeted host networks, the Recorded Future Platform, network metadata, VirusTotal, Farsight DNS, Shodan, and other open source intelligence gathering techniques.
Operation Cloud Hopper
APT10 is backed by Chinese intelligence agency the Ministry of State Security (MSS), according to Recorded Future.
The three cases highlighted by the researchers are far from isolated. An ongoing campaign sponsored by China’s MSS, dubbed ‘Operation Cloud Hopper’, specifically targets MSPs.
Operation Cloud Hopper, elements of which are often run by shell companies rather than China’s MSS directly, is designed to steal intellectual property and enable secondary attacks against their victims’ clients, according to threat intel researchers at Recorded Future.
Adding two-factor authentication could be used as a defensive measure to safeguard accounts against this type of attack, said Rapid7.
Eoin Miller, Principal MDR analyst at Rapid7, the firm behind the Metapolit pen testing tool, commented: “Unfortunately, this is the type of nefarious behavior we witness regularly. But there are steps organizations can take to combat these issues.
“For example, we recommend implementing two-factor authentication for everything.
“Additionally, strengthening the reviews of authentication attempts against low-cost VPN providers or ‘out of the norm’ networks or countries for an individual user is equally important.
“Organizations should also consider implementing extremely strict application whitelisting on sensitive systems.”