A suspected China-nexus cyber espionage group has unleashed a sophisticated campaign dubbed Operation Digital Eye. This operation targeted large IT service providers in Southern Europe, with the goal of compromising downstream entities in the digital supply chain. Conducted between late June and mid-July 2024, the attacks were intercepted before advancing to data exfiltration, but their scope and sophistication reveal an alarming trend. The attackers weaponized Visual Studio Code Remote Tunnels, leveraging this legitimate feature to establish covert command-and-control (C2) channels, disguise malicious activities as legitimate, and execute arbitrary commands on compromised endpoints.
The Malicious Plan
The attackers began their intrusion with SQL injection techniques, using the automated penetration testing tool SQLmap to breach internet-facing applications and database servers. Once inside, they deployed PHPsert, a web shell enabling them to maintain persistent remote access. This foothold allowed for reconnaissance, credential harvesting, and lateral movement across networks using tools like Remote Desktop Protocol (RDP) and pass-the-hash techniques. A custom-modified version of Mimikatz facilitated these pass-the-hash attacks, bypassing password requirements to escalate privileges and execute commands within a compromised system.
Simultaneously, the attackers leveraged trusted platforms like Visual Studio Code Remote Tunnels and GitHub accounts to connect to their targets, using public cloud infrastructure to mask malicious activity. This blend of advanced techniques and legitimate tools created a sophisticated blueprint for intrusion that was both effective and difficult to detect.
Impact on the Supply Chain
By targeting IT service providers, the attackers gained potential access to a broad network of downstream clients, exposing them to significant risks. Breaching these providers opens pathways to infiltrate their customers' systems, posing threats like data theft, operational disruptions, and reputational damage. The campaign revealed the vulnerability of the digital supply chain, as attackers sought to exploit trusted intermediaries to amplify their reach.
Evidence of a China Nexus
Several factors point to a China-nexus origin for Operation Digital Eye. These include the presence of simplified Chinese comments in PHPsert’s code, overlaps with tactics from campaigns like Operation Soft Cell, and the timing of the attacks, which aligned with standard Chinese business hours. Additionally, the attackers employed mimCN, a custom malware tool used in other China-linked cyber espionage activities, further strengthening the attribution.
Measures to Fend Off the Threat
Implement Network Segmentation: Limit lateral movement within the network by dividing it into smaller, isolated segments with restricted access controls.
Secure Remote Access Tools: Monitor and control the use of legitimate tools like Visual Studio Code Remote Tunnels to prevent misuse.
Enhance Endpoint Security: Deploy advanced endpoint detection and response (EDR) solutions to identify and mitigate threats early.
Monitor for Unusual Activity: Set up alerts for anomalies in network traffic or login patterns that deviate from typical behavior.
Regularly Update Systems: Patch vulnerabilities promptly to protect against exploitation, particularly SQL injection flaws.
Strengthen Authentication: Use multi-factor authentication (MFA) and implement strong password policies to mitigate credential-related attacks.
Conduct Security Audits: Perform routine assessments of third-party vendors and supply chains to detect potential risks.
Educate Employees: Provide training to recognize phishing attempts, suspicious files, and other tactics used by attackers.
Backup Critical Data: Maintain secure and regular backups to ensure business continuity in case of compromise.
Engage Threat Intelligence Services: Leverage threat intelligence feeds to stay ahead of emerging tactics and tools used by adversaries.
Comments