FBI Warns MSPs of Cyberattacks from China

The FBI has updated its warning about the Chinese hacking group APT10 and wants help from victims to better identify the attack vectors in use.

Unfortunately, due to the government shutdown, the FBI hasn’t been able to widely publicize the latest alerts. Alert Number AB-000102-MW, dated Jan. 2, can’t be found on the FBI’s Cyber Crime website, indicating that far too few MSPs are aware of the problem.

The alert outlines the latest intelligence available on the activities of the Chinese group known within the private sector as APT10, Cloud Hopper, menuPass, Stone Panda, Red Apollo, CVNX and POTASSIUM. This group heavily targets managed service providers (MSP) that provide cloud computing services; MSPs’ commercial and governmental clients; as well as defense contractors and governmental entities.

Powersolution.com’s David Ruchman

“The FBI provides several recommended mitigation measures to be taken within the first 72 hours of detection, along with others, such as patch management, to be performed routinely in advance of incident detection,” said David Ruchman, chief technology officer at Powersolution.com, a New Jersey-based managed services provider.

But those mitigation measures are only a starting point.

“We believe best practices should be focused on the preventive measures, in addition to the remediation efforts after an intrusion,” Ruchman added. “Such measures include implementing standards and controls such as NIST, SANS and CIS. In addition, supporting IT infrastructures with highly qualified and trained IT security personnel is imperative.”

APT10 utilizes several components to compromise and navigate through target networks:

• REDLEAVES: This component is a Remote Access Trojan (RAT) which operates primarily in memory to evade detection. Basic REDLEAVES functionality includes victim system enumeration, file search/deletion, screenshots, as well as data transmission. It utilizes and command and control (c2) that operates thru HTTP/HTTPS on ports 53, 80, 443 and 995.
• UPPERCUT/ANEL: This is a backdoor Trojan used in spearphishing campaigns to deploy second-stage payloads such as credential harvesters. It’s reported that UPPERCUT is deployed using decoy Microsoft Word Documents that contain Visual Basic Macros to download further components. It’s also known to contain exploits for the CVE-2017-8759 and CVE-2017-1182 vulnerabilities.
• CHCHES: This component is a RAT which communicates with C2 servers using HTTP Cookie headers. It’s noted that the primary method of compromise is thru spearphishing. The executable hides itself as a word document by using it’s the programs icon. CHCHES initially collects victim computer hostname; process identifier (PID); current working directory (%TEMP%); screen resolution; as well as kernel32.dll or explorer.exe version. This information is sent back to the attacker via their cookie based C2 infrastructure.

The FBI says any activity related to APT10 detected on a network should be considered an indication of a compromise requiring extensive mitigation and a call to law enforcement. 

Powersolution.com’s Abdul Hammad

However, the APT10 attacks are only just the beginning.

“Early last year, we noticed an uptick in cyberespionage campaigns from other countries,” said Abdul Hammad, Powersolution.com’s CISO. “This resulted in a heightened awareness of potential exploits by cybercriminals, which has been reinforced with the recent FBI APT 10 FLASH report.”

Perhaps one of the most troubling aspects of the APT10 attacks is how …