China Hacks Norwegian Software

By   ISBuzz Team
Writer , Information Security Buzz | Feb 07, 2019 10:45 am PST

Recorded Future, in partnership with Rapid7, published a new report that underscores the vulnerabilities that third parties introduce to organizations. The report details a new sustained cyber-espionage campaign by a Chinese threat actor targeting Visma, a major European managed service provider, an international apparel company, and a U.S. firm that does IP law for the pharmaceutical, tech, biomedical and automotive industries.

By targeting managed service providers, the attackers are exploiting the trust companies place in the security of their technology partners. The campaigns were designed to steal IP and to create launching pads for attacks on third-parties associated with the victims. Below are other highlights, and the full report is attached, also available online here.

· The campaign targeting Visma, a $1B Norwegian MSP with 850,000+ customers throughout Europe, and the retailer and U.S. law firm ran from Nov 2017 to Sep 2018.

· In all three incidents, the attackers gained access to networks through deployments of Citrix and LogMeIn remote-access software using stolen valid user credentials.

· Recorded Future identified a new variant of the Trochilus remote access Trojan malware that was used in the attacks, as well as the storage of stolen data in Dropbox.

Experts Comments below: 

Eoin Miller, Principal MDR Analyst at Rapid7:

isbuzz expert 10“Unfortunately, this is the type of nefarious behavior we witness regularly. But there are steps organizations can take to combat these issues. For example, we recommend implementing two-factor authentication for everything. Additionally, strengthening the reviews of authentication attempts against low cost VPN providers or ‘out of the norm’ networks or countries for an individual user is equally important. Organizations should also consider implementing extremely strict application white-listing on sensitive systems.”


Simon Whitburn, SVP Cyber Security Services at Nominet:

isbuzz expert 9State hacking campaigns, such as Cloudhopper, that target software supply companies are incredibly dangerous. By breaching one company you can create a backdoor into thousands of others. The information gathered from these types of attacks can then be used for spear phishing attacks on high value individuals which is where serious damage can be done.
“Defending against this type of campaign can be very tough. There is a feeling amongst users that if lots of people trust and use a service then it must be secure. This can result in companies downloading software without checking it themselves first. Cloudhopper demonstrates that this is a dangerous assumption. Whenever a company uses an outside service, even from a reputable source, they need to check that there is nothing malicious lurking in the code. This will add to the deployment time but could help protect organisations against this type of malware spreading. One way of noticing if third party services have been compromised is to measure DNS traffic which could flag if a programme is calling out to a command and control centre.”

Dr. Darren Williams, CEO and Founder at BlackFog:

Williams Darren“With the news that your devices could get hacked just by looking at a photo on your phone, it’s clear that keeping your personal information private is getting harder every day. Even just viewing an innocent-looking image could lead to your data getting leaked without you ever realising. In this day and age, attackers can get in at all angles and they will always be many steps ahead of the average consumer.
“Generally, we can say that about 20% of all data flowing from your phone / device is being sent to China, Russia and the Ukraine on a daily basis (based on internal data collected by BlackFog). This is most often used for data profiling and data coming off the device generally. This can include personal information and files on the device itself. And this is all happening without your knowledge or importantly, your consent. This is why it’s important to take steps to prevent data from leaving your personal devices, such as your laptop or mobile, without your permission. Technology now exists that can stop unwanted data collection and identity profiling by increasingly sophisticated hackers by eliminating content requests that haven’t been requested. Unfortunately, consumers today must resign themselves to the fact that attackers are always going to get in – the key is to prevent them from taking anything out.”

Max Vetter, Chief Cyber Officer at Immersive Labs:

Max Vetter“Software companies are in increasingly being dragged unwittingly in the crosshairs of hacking teams with longer term agendas. They are a ripe target because, whilst being relatively low-profile, often the products they build make up the infrastructure for much bigger end-users. It’s a trojan horse approach – if hackers can find a backdoor in the platforms used by numerous businesses, it can be used time and again.”