Recorded Future, in partnership with Rapid7, published a new report that underscores the vulnerabilities that third parties introduce to organizations. The report details a new sustained cyber-espionage campaign by a Chinese threat actor targeting Visma, a major European managed service provider, an international apparel company, and a U.S. firm that does IP law for the pharmaceutical, tech, biomedical and automotive industries.
By targeting managed service providers, the attackers are exploiting the trust companies place in the security of their technology partners. The campaigns were designed to steal IP and to create launching pads for attacks on third-parties associated with the victims. Below are other highlights, and the full report is attached, also available online here.
· The campaign targeting Visma, a $1B Norwegian MSP with 850,000+ customers throughout Europe, and the retailer and U.S. law firm ran from Nov 2017 to Sep 2018.
· In all three incidents, the attackers gained access to networks through deployments of Citrix and LogMeIn remote-access software using stolen valid user credentials.
· Recorded Future identified a new variant of the Trochilus remote access Trojan malware that was used in the attacks, as well as the storage of stolen data in Dropbox.
Experts Comments below:
#Hackers working on behalf of #Chinese intelligence #breached the network of Norwegian software firm Visma to steal secrets from its #clients, #cybersecurity researchers said yesterday.https://t.co/GGrLNKvWHL
— Haltdos (@halt_dos) February 7, 2019
A serious flaw in Android's operating system framework can let a remote attacker execute computer code on a device by using a "specially crafted PNG file".#cybersecurityhttps://t.co/PD7PwU15T2
— Luke Cooper (@ITsecuritySales) February 7, 2019
Eoin Miller, Principal MDR Analyst at Rapid7:
.
Simon Whitburn, SVP Cyber Security Services at Nominet:
“Defending against this type of campaign can be very tough. There is a feeling amongst users that if lots of people trust and use a service then it must be secure. This can result in companies downloading software without checking it themselves first. Cloudhopper demonstrates that this is a dangerous assumption. Whenever a company uses an outside service, even from a reputable source, they need to check that there is nothing malicious lurking in the code. This will add to the deployment time but could help protect organisations against this type of malware spreading. One way of noticing if third party services have been compromised is to measure DNS traffic which could flag if a programme is calling out to a command and control centre.”
Dr. Darren Williams, CEO and Founder at BlackFog:
“Generally, we can say that about 20% of all data flowing from your phone / device is being sent to China, Russia and the Ukraine on a daily basis (based on internal data collected by BlackFog). This is most often used for data profiling and data coming off the device generally. This can include personal information and files on the device itself. And this is all happening without your knowledge or importantly, your consent. This is why it’s important to take steps to prevent data from leaving your personal devices, such as your laptop or mobile, without your permission. Technology now exists that can stop unwanted data collection and identity profiling by increasingly sophisticated hackers by eliminating content requests that haven’t been requested. Unfortunately, consumers today must resign themselves to the fact that attackers are always going to get in – the key is to prevent them from taking anything out.”
Max Vetter, Chief Cyber Officer at Immersive Labs: