Chinese hackers use Visual Studio Code tunnels for remote access

 

Chinese hackers use Visual Studio Code tunnels for remote access

Chinese state-sponsored hackers have launched a sophisticated cyber espionage campaign called "Operation Digital Eye." They targeted large IT service providers in Southern Europe. The attacks happened from late June to mid-July 2024.

The hackers used Visual Studio Code (VSCode) and Microsoft Azure for command-and-control. They turned the popular development tool into a backdoor for remote access.

Researchers found a new technique used by the attackers. They abused VSCode Remote Tunnels to execute commands and manipulate files. This helped them evade detection.

This approach shows how Chinese hacking groups are evolving. They are finding new ways to infiltrate and stay in IT service organizations.

The intrusions were caught and stopped before any data was stolen. This shows the resilience and vigilance of the targeted organizations. But it also reminds us of the ongoing threat from sophisticated state-sponsored actors.

We need to improve our cybersecurity to protect our IT infrastructure. This is crucial to keep our data safe.

Key Takeaways

• Chinese state-sponsored hackers used Visual Studio Code and Microsoft Azure for remote access in a cyber espionage campaign targeting IT service providers in Southern Europe.
• The attackers employed a new technique involving the abuse of VSCode Remote Tunnels to execute commands and manipulate files on compromised systems.
• The intrusions were detected and neutralized before any data exfiltration, highlighting the importance of robust cybersecurity measures.
• The use of VSCode as a backdoor tactic is a rarely seen but emerging threat, requiring vigilance and proactive security measures.
• The incident underscores the evolving tactics used by Chinese hacking groups to infiltrate and maintain persistent access within targeted organizations.

Understanding Operation Digital Eye: A New Chinese Cyber Threat

A series of cyberattacks, called "Operation Digital Eye," have hit big IT service providers in Southern Europe. These attacks happened from late June to mid-July 2024. They were linked to Chinese Advanced Persistent Threat (APT) groups.

The attackers used a new trick. They exploited Visual Studio Code (VS Code) to keep backdoor access to systems. This was a rare move by a Chinese APT group for command and control (C2) purposes.

Timeline and Targeted Organizations

The campaign aimed at various industries in Southern Europe, like energy and shipping. The main targets were big IT service providers. They offer data, infrastructure, and cybersecurity solutions.

This shows the attackers wanted to get ahead in key industries. They also wanted to increase China's influence in the area.

Detection and Prevention of Data Exfiltration

The attacks were caught and stopped before they could steal data. But, the campaign's impact is big. The attackers used SQL injection to start and a PHP webshell to stay in.

They moved around the network using RDP and pass-the-hash attacks. They also used VS Code Remote Tunnels and Microsoft Azure to hide their tracks. This shows we need strong security to stop the misuse of tools and cloud services for cyber espionage.

"The attackers' goal was likely to gain advantages in critical industries and deepen China's influence in the region."

The Operation Digital Eye campaign shows how Chinese APT groups are changing their tactics. They aim to get into IT service providers and steal data and infrastructure. As our digital world gets more connected, we must have strong security and share threat info to stay safe.

Initial Attack Vector: SQL Injection Exploitation Techniques

Chinese hackers have used a clever way to start their attacks - SQL injection. They used SQLmap, a tool for testing security, to find and use SQL injection flaws. This helped them get into systems and start their malicious plans.

SQL injection is a common way for hackers to get into systems. They inject bad SQL code into web apps to get data or control systems. The hackers in this case used SQL injection to get into their targets and set up for bigger attacks.

Using SQLmap made the hackers' job easier. It helps find and use SQL injection flaws automatically. This made their attacks more efficient and a bigger threat to many organizations.

It's key to fight SQL injection attacks to protect against these hackers. Companies need to write secure code, check inputs well, and watch for strange activity. Stopping these attacks is vital to keep data and systems safe from these skilled hackers.

"The attackers' use of SQL injection exploitation techniques as the initial access vector highlights the importance of implementing strong security measures to protect against such threats. Organizations must remain proactive in addressing vulnerabilities and training their personnel to recognize and respond to these types of attacks."

Visual Studio Code Tunnels for Remote Access: The New Backdoor Method

Recently, researchers found a worrying trend. Chinese hackers used Visual Studio Code Remote Tunnels to keep access to hacked systems. This shows how APT groups are getting better at avoiding security.

Microsoft Azure Infrastructure Abuse

The hackers, linked to the Chinese group Stately Taurus, used Visual Studio Code to make remote-access tunnels. They used Microsoft Azure, a trusted platform, to hide their actions. This made it hard for security tools to catch them.

Remote Development Feature Exploitation

• The attackers used Visual Studio Code's Remote Development feature for a backdoor. This feature is meant for remote work and coding.
• They kept a constant link to the hacked devices. This let them send commands, steal data, and grow their control.

Authentication Through GitHub Accounts

To get into the hacked devices, the hackers used GitHub accounts. They took advantage of Visual Studio Code's link to GitHub. This made it hard for security teams to tell real remote work from hacking.

"The use of Visual Studio Code tunnels as a backdoor method highlights the ingenuity and adaptability of these advanced threat actors. It is a stark reminder of the need for robust security measures and vigilance in the face of evolving cyber threats."

PHPsert Web Shell: Command and Control Infrastructure

After getting into the system, the Chinese hackers used a custom PHP web shell called PHPsert. This tool helped them stay in the system and set up a strong command and control (C2) system.

The PHPsert web shell let the hackers run commands from afar, change files, and add more malware. This made it easy for them to do more harm in the networks they attacked. They could move around the network, steal credentials, and do more damage.

The use of PHPsert shows how smart and flexible the Chinese hackers are. They built this web shell to sneak past security and stay hidden. This let them keep working without being caught for a long time.

Key Capabilities of PHPsert Web Shell	Impact on the Targeted Organizations
Remote command execution File system manipulation Additional payload deployment Persistence and stealthy operation	Enabled extensive network reconnaissance Facilitated credential theft and lateral movement Allowed for the introduction of further malware Hampered the targets' ability to detect and respond to the intrusion

The hackers used PHPsert and Visual Studio Code tunnels for their attacks. This shows how they mix new and old ways to attack. It's a big challenge for those who defend against these attacks. They need to stay alert and keep improving their security to fight these smart hackers.

Lateral Movement Strategies and Custom Mimikatz Usage

Chinese hackers used advanced lateral movement in compromised networks. They used Remote Desktop Protocol(RDP) and pass-the-hash attacks to gain more access. They also had a custom version of Mimikatz, called "mimCN," to use NTLM password hashes for their advantage.

This special Mimikatz version was similar to tools used in other Chinese cyber attacks. It showed the hackers' skill in adapting their tools for their needs. This highlights their technical ability and flexibility.

Remote Desktop Protocol Exploitation

The hackers used RDP to move around in the networks. RDP is a common tool for remote access. It helped them move quietly and gain control over more systems.

Pass-the-Hash Attack Techniques

The hackers also used pass-the-hash attacks. These attacks use NTLM password hashes to access systems without passwords. This made it hard to detect them and kept them in the networks longer.

By combining RDP and pass-the-hash attacks, the hackers could move freely and control the networks. This gave them more access to important data and resources.

Chinese APT Attribution and Working Hours Pattern

The exact Chinese APT group behind Operation Digital Eye is still unknown. Yet, clues suggest a China link. These include Chinese comments in the PHPsert web shell and the use of Romanian hosting services. The attackers also used tools similar to those of Mustang Panda.

Their activity followed China's typical working hours, from 9 a.m. to 9 p.m. CST. This pattern supports the idea that China is behind the attacks.

The leaked data showed conversations from November 2018 to January 2023. It involved 37 unique usernames. The data revealed that the group, called "i-Soon," targeted governments in India, Thailand, Vietnam, South Korea, and NATO.

The conversations mentioned specific IP addresses. These were used on certain dates in 2022 and 2023. This information links i-Soon to past cyber attacks, like the 2022 Comm100 supply chain attack and the 2019 Poison Carp attack on Tibetan groups.

The leaked documents also included manuals for tools used by Chinese APT groups. These tools manage various operating systems remotely.

NTT Security Japan analyzed about 10,000 samples of malicious files. They found reused digital signatures and common traits. These findings help attribute the attacks to Chinese APT groups and understand their working hours pattern.

"The attackers' activity patterns aligned with typical working hours in China, mostly between 9 a.m. and 9 p.m. CST, further supporting Chinese attribution."

Supply Chain Security Implications for IT Service Providers

Large B2B IT service providers are being targeted, posing big risks to supply chain security. These attacks compromise organizations that offer data, infrastructure, and cybersecurity to other industries. This gives attackers a way to reach many sectors through one breach, showing how vital it is to protect IT service providers and their digital infrastructure.

Downstream Entity Risks

When IT service providers are hacked, it can hurt their whole client base. This can expose sensitive data and systems of downstream entities that depend on them. Such breaches can cause big disruptions, data theft, and financial losses, affecting many organizations' supply chain security.

Strategic Impact on Digital Infrastructure

The breach of IT service providers can have big effects on the digital infrastructure. Attackers can use the access and resources from these breaches to launch more attacks. They can gather information and disrupt key systems and services. This shows how crucial strong supply chain security is to keep the digital world safe.

"The targeting of large B2B IT service providers poses significant supply chain security risks, as the attackers can gain potential access to a wide range of downstream entities through a single point of compromise."

Detection and Prevention Measures for VS Code Tunnel Abuse

Visual Studio Code (VS Code) is now a key tool in software development. But, it poses security risks, especially with its remote tunneling feature. Cybercriminals misuse this tool, leading to more data theft and unauthorized access.

To fight VS Code tunnel abuse, a strong security plan is needed. This includes watching for odd VS Code use, limiting tunnel access to trusted people, and stopping portable files like code.exe from running.

1. Keep an eye on code.exe in Windows services and check for odd connections to *.devtunnels.ms in logs. These signs can show VS Code tunnel misuse.
2. Use tools like Spyderbat to track all connections to certain domains for VS Code tunnels. Spyderbat alerts you to threats and can stop harmful activities fast.
3. Block code.exe with AppLocker and use Group Policy Objects (GPO) to control VS Code and its features.
4. Teach developers and IT staff how to safely use VS Code. Stress the need to use SSH or Dev Containers for remote work, not the built-in tunnel.

With these steps, organizations can strengthen their security and reduce VS Code tunnel abuse risks.

"The use of VS Code remote tunnels has become a new vector for cyber attacks, and it's crucial that organizations take proactive steps to detect and prevent such abuse."

Protecting against VS Code tunnel misuse needs a solid security plan. This plan should include technical measures, monitoring, and teaching users. By doing this, companies can safeguard their digital assets and keep their development areas safe.

Microsoft Azure and GitHub Authentication Exploitation

In the recent Chinese cyberattack, known as Operation Digital Eye, the threat actors exploited both the Microsoft Azure infrastructure and GitHub authentication mechanisms. They used legitimate cloud services and authentication methods to blend their actions with normal traffic. This made detection more challenging.

Cloud Infrastructure Abuse Patterns

The attackers used the Visual Studio Code (VS Code) tunneling feature for remote access. This feature allows developers to share their VS Code environments on the open web, but it requires authentication through a GitHub account. They abused this to gain remote access to the compromised systems, using the vscode.dev URLs to connect.

They also exploited the Remote - Tunnels extension, which comes pre-installed with the vscode.dev instances. This extension allowed them to maintain their presence on the targeted systems and further their data exfiltration efforts.

Authentication Security Concerns

The attack vector involved the abuse of GitHub authentication. Users were prompted to log into their GitHub accounts when opening a vscode.dev link for the first time. By compromising these GitHub credentials, the attackers could gain access to the remote development environments and leverage them for their malicious purposes.

The threat actors also took advantage of the authentication requirements for hosting or connecting to a tunnel. They used a GitHub or Microsoft account to blend their activities with legitimate users. This made it more challenging for security teams to detect and mitigate the intrusion.

The rise of such exploitation techniques highlights the need for enhanced security measures. We must monitor cloud infrastructure and authentication processes, especially for development-related services and tools like Visual Studio Code.

Impact on European B2B IT Service Sector

A suspected Chinese cyber espionage group, known as Operation Digital Eye, has been targeting big European IT service providers in Southern Europe. This could seriously harm a big part of the B2B services in the whole continent. The focus on key IT service firms shows how big the cybersecurity impact of such attacks can be on Europe's digital world.

Reports say the group used many tactics, like phishing, software exploits, and malicious email links. They aimed to steal secret info quietly. This shows how important it is for the European B2B IT service industry to boost its cybersecurity.

Key Findings	Potential Impact
Operation Digital Eye targeted large B2B IT service providers in Southern Europe	Disruption to a significant portion of the European IT service sector
Cyber attacks involved phishing, software exploits, and malicious email links	Confidential information theft through stealthy cyber espionage
Key signs of intrusion include unusual login attempts, data loss, and abnormal network traffic	Immediate need for enhanced cybersecurity measures in the European B2B IT services industry

The European digital world is getting more connected. This makes the impact of such cyber attacks on the B2B IT service sector even more serious. It's vital to have strong incident response plans, watch things closely in real-time, and work together in the industry. This will help protect the region's important IT systems.

Conclusion:

Operation Digital Eye shows how advanced cyber threats can adapt and innovate. They used Visual Studio Code, a trusted tool, to gain access and steal data. This shows how even common software can be used for malicious purposes.

This highlights the need for strong supply chain security, especially for IT service providers. They can unknowingly help cyber attacks spread. With Visual Studio Code becoming more popular, its misuse is a growing concern. It's crucial to have good detection and prevention methods in place.

To stay ahead of cyber threats, we need to keep improving our cybersecurity. This includes using advanced tools to spot and block hidden scripts and encrypted messages. By tackling these challenges, we can protect our digital world and keep our data safe from sophisticated attacks.

FAQ

———————————————-

What is Operation Digital Eye?

Operation Digital Eye is a cyber attack by suspected Chinese hackers. They targeted big IT service providers in Southern Europe in June and July 2024.

How did the attackers gain initial access to the targeted systems?

The hackers used SQL injection to get into systems. They used the SQLmap tool to find and use SQL injection flaws.

What technique did the attackers use to maintain persistent remote access?

They used Visual Studio Code Remote Tunnels for remote access. They set up a portable Visual Studio Code to create tunnels, using Microsoft's toolkit.

How did the attackers authenticate to the compromised systems?

They used GitHub accounts to connect to devices. This helped them hide their actions by looking like normal traffic.

What tool did the attackers use to maintain a foothold in the compromised systems?

They used a PHP web shell called PHPsert. It let them stay in the systems and access them remotely.

How did the attackers move laterally within the compromised networks?

They used RDP and pass-the-hash techniques. They also used a modified Mimikatz to move around in the networks.

What indicators suggest Chinese APT involvement in Operation Digital Eye?

Signs include Chinese comments in PHPsert and use of M247 hosting. The tools and timing also point to Chinese hackers.

What are the supply chain security risks associated with the targeting of large B2B IT service providers?

Targeting these providers can give hackers access to many other companies. This can affect many sectors through one breach.

How can organizations detect and prevent the abuse of Visual Studio Code tunnels for remote access?

Watch for unusual VSCode activity. Limit tunnel use to trusted people. Block portable files and check for 'code.exe' in services and logs.

How did the attackers exploit Microsoft Azure infrastructure and GitHub authentication mechanisms?

They used Azure and GitHub to hide their actions. This made it harder to detect their malicious activities.

What was the impact of Operation Digital Eye on the European B2B IT service sector?

The attack targeted big IT providers in Southern Europe. It shows the need for better security in the European IT sector.