France has issued a new cyber threat advisory about targeted espionage operations directed at third-party service providers and engineering firms.
The findings — published by the country’s cybersecurity agency ANSSI (Agence Nationale de la Sécurité des Systèmes d’Information) — is based on its investigation into two different sets of attacks — one involving the use of PlugX malware, and an other that relies on legitimate tools (CertMig, ProcDump, Netscan) and credential theft.
ANSSI said the campaign dated as far back as 2017. “The main purpose of these activities seems to be credentials gathering, thanks to spear phishing emails, and phishing websites,” it added.
The threat actor — possibly linked to North Korean hacking group Kimsuky — has targeted a wide range of entities, including diplomatic bodies belonging to member countries of the United Nations Security Council like China, France, Belgium, Peru, and South Africa.
The modus operandi
ANSSI stated the attackers gain initial access to the target networks by exploiting security vulnerabilities at endpoints, or by using phishing emails or leaked credentials. Once in, they were found to obtain elevated privileges to internal systems to install malware and laterally spread across the network to meet their operational objectives.
One of the tools employed during the intrusion is PlugX, a fully featured Remote Access Trojan (RAT) with capabilities such as file upload, download, and modification, keystroke logging, webcam control, while completely avoiding security controls and detection.
The malware has become a weapon of choice for Chinese state-sponsored hackers in recent years, with Palo Alto Networks’ threat intelligence team Unit 42 linking the cyberattacks in Southeast Asia to a group it calls PKPLUG last week.
In addition to using VPNs to anonymize their incoming connections, the bad actors identified by ANSSI saved their tools in folders named after popular antivirus software, such as ESET and McAfee, to evade exposure.
As a consequence, the cybersecurity agency has urged service providers and clients to set up two-factor authentication, monitor their network for malicious connections, and grant external entities with the least amount of access to thwart privilege escalation.
Third party software vendors on alert
The ANSSI alert comes as supply chain attacks — compromising a third party vendor with a connection to the true target — are becoming an increasingly common way to target businesses and install malware.
In late September, European aerospace giant Airbus was hit by a series of cyber assaults aimed at its suppliers possibly by China-linked groups in search of commercial secrets.
In a similar development, cybersecurity firm Symantec uncovered a previously undocumented group dubbed Tortoiseshell that exploited custom and off-the-shelf malware to zero in on 11 software providers in Saudi Arabia, most likely with the goal of gaining access to their customers’ networks.
“Those are the targets they’re going after because they know that those individuals would be more apt to pay because they want to get those services back online for the public,” the FBI told ProPublica last month, citing managed service providers as a lucrative target enabling criminals to mount different kinds of cybercrime.
Leveraging a service provider as an attack vector also vastly increases the scale of a security incident, as a successful break-in opens up access to multiple clients, making them all vulnerable at once.
Whether be it by beefing up account security, or isolating critical network infrastructure, or by ensuring timely data backups, having well-tailored controls in place across the organization can ensure preparedness at both tactical and strategic levels for a destructive malware attack.