Chinese APT Targeting German EnterprisesAttacker Exploiting Exchange Server and Zoho Vulnerabilities
German officials are warning about an ongoing cyberespionage campaign by Chinese-backed hacking group APT27 or Emissary Panda using the malware variant HyperBro against German commercial companies.
Germany’s Federal Office for the Protection of the Constitution says that the attackers are exploiting vulnerabilities in Microsoft Exchange Server 2013, 2016 and 2019 - which are tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065 - and in the Zoho AdSelf Service Plus1 software - tracked as CVE-2021-40539 - since March 2021 as a gateway for the attacks.
"It cannot be ruled out that the actors, in addition to stealing business secrets and intellectual property, also try to infiltrate the networks of (corporate) customers or service providers (supply chain attack)," the government authorities say.
John Bambenek, principal threat hunter at digital IT and security operations company Netenrich, says that China has sophisticated infiltration abilities, and it targets broadly around the world.
"They are unique in the sense that they will steal commercially significant information and give it to their own private sector to undercut their competitors," Bambenek says. He says memory-only malware is seen in nation-state attacks because it "takes some detection techniques off the table, but with the indicators published by the German government, it should be possible for every moderately resourced organization to detect if this was in their networks."
James McQuiggan, security awareness advocate at KnowBe4, tells ISMG. "Nation-state attackers know that not all organizations effectively update and patch their perimeter or essential internal systems and use that weakness to gain access." He says that by accessing supply chain organizations, an attackers can "leverage them to attack other companies or steal intellectual property."
In light of recent political conditions in various nations and governments, McQuiggan says, all organizations should implement all security updates and patches to protect against third-party supply chain attacks.
The government agency says that the APT27 group has been active since at least 2010 and has increased its attacks against German targets by using the HyperBro malware.
HyperBro is a remote access tool that is often used to target primarily gambling industries, though it has been spotted in other places as well (see: New Hacking Group Targets Gambling Firms: Report).
The malware typically consists of three components:
- A genuine loader, typically with a signed certificate;
- A malicious DLL loader loaded from the former component via DLL hijacking;
- An encrypted and compressed blob, which decrypts to a PE-based payload that has its command-and-control information hard-coded within.
"The [Federal Office for the Protection of the Constitution] assumes that the actor will continue to attack the German economy and therefore publishes the detection rules and technical indicators (Indicators of Compromise) to help businesses identify existing infections and possibly new versions of the malware," the agency says.
It says the malware communicates with the attacker's hard-coded command-and-control servers and receives various commands from them.
"Malicious communication from HyperBro usually takes place via TCP port 443. In individual cases, several variants of HyperBro may be installed in a victim network by the attacker, which, according to current knowledge, differ in the hard-coded command-and-control addresses," the agency says.
The Federal Office for the Protection of the Constitution recommends users check their systems for the indicators of compromise provided and check log files and active network connections for connections to the external systems mentioned in the IOCs section.
They also recommend that since the IOCs provided may be changed by the actor, users should check historical network logs - especially since February 2021 - if they are available - to exclude infections that have already occurred in the past.
Since 2010, Emissary Panda or APT27 has been targeting organizations in aerospace, government, defense and technology, according to a report by security firm Trend Micro.
In April 2019, security company Palo Alto Networks' Unit 42 reported that the group had started installing web shells on SharePoint servers to compromise government organizations in the Middle East.