APT10 (also known as Red Apollo), a Chinese cyberespionage group, is active again and found to be abusing the Windows Zerologon vulnerability. They are now targeting Japanese companies and subsidiaries belonging to multiple industry sectors located in 17 regions worldwide.
What has happened?
From mid-October 2019 to October 2020, the attackers have been running this campaign, mostly using DLL side-loading. The threat actors have been found to be using a Hartip backdoor.
- The attackers are now using Zerologon exploits to steal domain credentials to gain full control over the entire domain, following the exploitation of vulnerable devices.
- The group used custom loaders to deliver malicious payloads on all of the targets' networks. In addition, they used living-off-the-land tools (such as Certutil, Adfind, Csvde, Ntdsutil, WMIExec, and Powershell), obfuscation techniques, as well as the QuasarRAT malware.
- The time spent by threat actors in compromised networks varied greatly, from a few days to several months. In some cases, their activity was spotted after months of complete silence.
- In some cases, they remained active, along with hiding their presence in victims' networks for an entire year, indicating the sophistication and capabilities of the attackers.
China-based attackers are constantly targeting entities mostly located in North America, South, and East-Asia.
- Last month, Chinese state-sponsored hackers were targeting U.S. computer networks involved in national defense, according to the FBI.
- Recently, a complex espionage attack has been discovered targeting the government sector in Southeast Asia, leveraging a complete arsenal of droppers, backdoors, and other tools, including Chinoxy backdoor, PcShare RAT, and FunnyDream backdoor binaries.
The Chinese cyberespionage group is active again and has come up with more sophistication than ever before. Therefore, experts suggest implementing and developing appropriate prevention, detection, and mitigation strategies. In addition, review network perimeter to identify any ongoing suspicious activity.