CyberWire Daily - Tracking one of China's hidden hacking groups. [Research Saturday]
Episode Date: February 1, 2020Operation Wocao (我操, “Wǒ cāo”, is a Chinese curse word) is the name that Fox-IT uses to describe the hacking activities of a Chinese based hacking group. We are joined by Fox-IT's Maarten v...an Dantzig who shares his insights into their new report entitled "Operation Wocao: Shining a light on one of China’s hidden hacking groups". The Research can be found here: Operation Wocao: Shining a light on one of China’s hidden hacking groups Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and
analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust Plus AI stops attackers
by hiding your attack surface,
making apps and IPs invisible,
eliminating lateral movement, connecting users only to specific apps, not the entire network, continuously verifying
every request based on identity and context, simplifying security management with AI-powered
automation, and detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
So we did an instant response case at one of our clients in Europe about one and a half years ago.
That's Martin von Donsic. He's lead intelligence analyst at Fox IT.
The research we're discussing today is titled Operation Wochow,
shining a light on one of China's hidden hacking groups.
So they were alerted to a breach by one of the honeypots that they had placed inside
their internal network.
So it was only reachable from the internal network, which was scanned by a pretty important
host inside their network, one of their domain controllers.
So they called us, said, well, we have a honeypot here internally.
It was scanned by one of our domain controllers.
Can you please come on site and tell
us what's going on? And that's what all started this. Well, let's walk through it together. I
mean, there's a lot in the research here. Let's start off. Who are these people and what does
it seem like they're after? Right. So it's always very difficult to say what it is exactly that
they're after. We've had these two cases where we saw the actor live inside the network of one of our clients.
But for some of the other victims that we have named, we only know from our external scanning of the Internet that these attackers were active there.
So we're not entirely sure what it is that they were after.
However, if you look at the countries where this group is active, so where the companies or the victims are targeted by this group,
when you look at the sectors and industries in which those victims are active,
they very closely resemble the industries that are typically targeted by Chinese threat actors, right?
Which are in line also with China's Made in 2025 plan, where their goal is to become less dependent on the West or other countries
for that matter. So you see a lot of the victims that are targeted by this specific group.
You can find those back in the industries where China wants to grow its own production.
But one of the segments of your research here, you go through their modus operandi.
Can you walk us through what are some of the things you found here?
Right. So in the report, we detailed it from initial access all the way to the last step of
the MITRE tech framework. So we mapped everything to MITRE's tech framework just so everyone could
follow along from start to end. So the initial access was actually quite interesting. So the
way they do it in itself is not very new or novel. So they target vulnerable
JBL servers. But what was very interesting is that in most of the cases that we've seen,
is that they would actually use web shells, so backdoors placed there already by other
threat actors for initial reconnaissance. So of course, the vulnerable JBL servers that
I'm discussing were already compromised by other threat actors, you know, most of them opportunistic, running crypto miners and things like that.
So they would use those initial backdoors just to see, you know,
is this server in fact interesting for operation?
And if it was, they would exploit the server themselves to upload their own backdoor.
And then they're moving laterally throughout the networks?
Right, yeah.
So an end-to-lateral movement is typical for what you would expect
for any type of threat actor that wants to move from machine A to B
within a Windows environment,
so usually your typical misconfigured Active Directory settings.
So they would use the average tools that you would expect,
such as Mimikatz, to dump credentials from domain admins
or local administrators and gain privileges
in that way. So once the attackers have access to the domain admin accounts of one domain or
multiple domains, they would then also target the system administrators inside the domain.
So of course they have access to a lot of servers and several credentials, but they're all part of
the of the Windows domain. So if they want to target servers
that are separate from the Windows domain, such as the Linux environments or sometimes
backup servers, they will target the sysadmins or enterprise admins and then specifically
go after their password managers. So in some of the cases that we've done, the admins would
use KeePass, so the attackers would exfiltrate the KeePass database and then the password
once the enterprise administrator would type that in into the password manager.
So then they have access to all the credentials inside that KeePass database file.
And one of the things I enjoy about your research here is that you go through what these threat actors activity might be on an average working day.
It's an interesting insight.
activity might be on an average working day. It's an interesting insight. Yeah, so because in one case, we actually got to see the attackers doing their thing over the course of several weeks.
So we were not ready to kick these attackers out of the network because the visibility that we had
on this victim's network was very limited. So we were concerned that if we would kick them out
too early in the progress,
that they would notice and completely change their modus operandi. So instead of kicking them out,
we watched and monitored them while we improved our visibility over the network
until we could kick them out. And that visibility over the course of several weeks
made for some very interesting insight. And then one of those was that the attackers would use the
Victim's VPN
concentrator to log into the environment, then deploy their tooling, move through the network,
and exfiltrate files. What we noticed was that the victim where we responded to was using a VPN
solution that had two-factor enabled. However, so this was the RSA Sec ID. And RSA secure ID has multiple methods of implementing two-factor.
So you can either go with a token, so a USB-based token.
You can go with your phone, or you can actually do a software-based token on the desktop.
And the latter was actually something that the attackers abused.
Interesting. Now, you have a whole section here on attribution.
Before we dig into some of the specifics of attribution in this case, I'm curious about how Fox IT approaches attribution because many organizations shy as an instant responder, I'm always interested to get as much facts as possible about an intrusion that I'm dealing with.
In my opinion, any context or extra information I can get on an attacker where I'm actively responding to is of value.
So during such an incident, especially when you have this visibility on an attacker,
you actually have the time also to look into what it is that might motivate the
attacker. So as we write in the report, I'm fairly convinced that any attacker that has the goal to
deploy, for example, ransomware is very different from an attacker that might be looking for
sensitive data to steal. Responding to an intrusion where the goal of the attacker is
to deploy ransomware, you will respond to that
differently than when the goal is to steal intellectual property, right? So your focus
is on different servers inside the network. Your focus with ransomware might be on backup servers,
while your focus when it comes to espionage might be on servers that are holding a lot of
intellectual property. Well, let's go through some of the specific things that you all noticed here that
led you to your attribution. What sort of things did you note? Right, so multiple things pointing
into the direction of China. So during this intrusion that I spoke of, of multiple weeks,
we also placed some network sensors inside the environment of the victim. And there's one
specific tool that the attackers appear to be using continuously,
which is named X-server.
It's essentially used to tunnel traffic
from one machine to another, or from multiple machines.
And in one case, we actually saw a network packet
coming from outside of the victim's network,
but being tunneled through the victim's network
where we had those network sensors.
And then we got to see
through one of the not encrypted HTTP headers that the accept language of the attacker's browser was actually set to the
Chinese language setting. So that was just one of the points. A more interesting one, which also
led to the title of the report, was that the attackers had initially come in through a web shell
that they had not used over the course of the incident.
So they used it for the initial access,
but after that, they solely relied on the VPN access
that they had to the victim's environment.
So after a while, they did leave that web shell on the vulnerable server
with the intention to come back to it once they had been kicked out of the network.
So fortunately, in our case, we also found the web shell and removed that. And now we could see the attacker
coming back to the web shell, attempting to execute several commands. And after a couple
of those commands, you could see, of course, the web shell no longer returns, returned
anything positive to those commands, right? So no responses from the Windows server that
were expected. And you can see several commands,
and then the very last command is not a Windows command.
And when we actually Googled for that,
it turned out to be a swear word in Chinese,
which was very likely written as a sign of frustration
after having lost access to a victim
where they had access for several months.
And that was the word WoChao,
which you all adopted as the identifier for this particular research.
Exactly.
You also were able to cooperate with law enforcement
and find some things about some registration of some domain names?
Yeah, that's correct.
So we kicked back a couple of IP addresses
to a couple of law enforcement agencies that we work with
and that are active in the countries where the servers work.
So we did this during the incident,
but unfortunately for one of the servers, we were too late
and the server was no longer actively being used by the actor.
So nothing was possible in terms of getting a forensic image from that machine
and having the law enforcement agency investigate that.
However, they did supply us with the registration information.
And it all appeared to be dummy data that was filled in,
a name that sounded like it was a real person,
nor was the email address or the address.
But what was interesting is that the state and region contains Chinese characters as
opposed to the other English words that were written there.
And at least our hypothesis is that one of the attackers put in this information
while registering the servers, but possibly forgot to copy paste the correct
value from the from the translated one.
And this is not information that you could one. And this is not information that
you could see, and this is not information that was used to register a domain, but it was really
used to register a server. So it's not publicly visible for others. So I think it's really
highly likely that this was in fact a mistake by one of the attackers.
Oh, very interesting. Well, let's go through who you've gathered that they're targeting.
You have a list of the victims here. What did you find here?
Right. So we saw targeting of at least 10 countries.
And it's based on the visibility, of course, that we have across a wide variety of industries.
So the victim that I referenced quite a few times where we got to see the attackers for several weeks was actually a managed service provider.
So you should know that the attackers target managed service providers and a lot of other industries.
But of course, through the managed service providers, they target those industries as well.
So the main target is, of course, not the managed service provider, but they are the customers of the managed service provider,
which we're seeing more and more from Chinese threat actors.
How about the types of tools that they're using?
Is it off-the-shelf stuff or are they creating their own custom tools?
So it's a combination of both.
So they do use some of the open source tools that are quite well known.
So Mimikatz and Bloodhounds are very well known among penetration testers
but unfortunately also by a lot of malicious threat actors there are some tools that are
completely coded from scratch or appear to be at least custom to this group such as the x server
tool that i referenced so really a tunneling tool to go from machine a to b and possibly through
multiple other compromised machines is for example done to access machines that are not directly connected to the internet,
but are connected to other machines inside the internal network.
What's also interesting is that we saw some use of open source tooling, but that they
are also making an effort to patch some of the indicators in there.
So in one specific example, they made use of SMB exec, which is part of the
impact at Python penetration testing suite. And they patched one of the variable file names
to something. So it used to be execute.bet and they renamed it to a double underscore
exec.bet and very likely in an attempt to evade detection.
In your estimation, how would you rank the sophistication of this group?
Well, I'm not sure if there's an official ranking system to do that.
I would say that they are one of the more advanced Chinese threat actors, at least as
I've dealt with.
And what are your recommendations for people to protect themselves against this?
Right.
So there are a lot of things.
The initial entry vector is, of course, a big one, right?
No organization that should ever have an exposed JBL server running vulnerable software directly to the internet, nor should it be connected to the rest of the internal network.
But if you read the report, we've really gone through, we've really put in effort to map it to MITRE's ATT&CK framework.
We've really put in effort to map it to MITRE's attack framework.
You see that there's a lot of tools used, open source tools used, which you can still easily attack.
Some of the other good ones are that the attacker also clears Windows event logs from compromised servers.
And the clearing of a Windows event log actually in itself also generates an event log.
So monitoring for that would be a very good start. Now, you have some interesting insights here
on some of the day-to-day work patterns
that you were able to track
of the folks running things from the other side.
So one of the ways in which we attributed this attack to China
was the fact that while we were monitoring
the attacker's activity over the course of several weeks,
we could easily see that they would start
their day in line with the normal Chinese working hours, right? So they would start around 9 or 10
p.m. and continue for about 8 to 10 hours. And this was continuous for about three weeks. And
during the weekends, there would be absolutely no activity. It's interesting how, I mean,
it speaks to the professionalism
of what's going on here, that this is someone's job. Yeah, exactly. You can see, and actually
during the very start of the incident, so when we investigated patient zero, the specific breach,
we could see that the attackers were actually active during the weekend. So very likely they
had found an interesting victim with a vulnerable J- Jabil server and knew that they only had...
That's Martin Vondancic.
The research is titled Operation Wo Chow, shining a light on one of China's hidden hacking groups.
We'll have a link in the show notes.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
Learn more at blackcloak.io. Thanks for listening.