FBI Warns MSPs of Cyberattacks from China

A notorious Chinese malicious hacker group is stealing customer data. MSPs, be on alert.

Frank J. Ohlhorst, IT Consultant, Editor-at-Large

January 11, 2019

4 Min Read
China Cyberattack

The FBI has updated its warning about the Chinese hacking group APT10 and wants help from victims to better identify the attack vectors in use.

Unfortunately, due to the government shutdown, the FBI hasn’t been able to widely publicize the latest alerts. Alert Number AB-000102-MW, dated Jan. 2, can’t be found on the FBI’s Cyber Crime website, indicating that far too few MSPs are aware of the problem.

The alert outlines the latest intelligence available on the activities of the Chinese group known within the private sector as APT10, Cloud Hopper, menuPass, Stone Panda, Red Apollo, CVNX and POTASSIUM. This group heavily targets managed service providers (MSP) that provide cloud computing services; MSPs’ commercial and governmental clients; as well as defense contractors and governmental entities.


Powersolution.com’s David Ruchman

“The FBI provides several recommended mitigation measures to be taken within the first 72 hours of detection, along with others, such as patch management, to be performed routinely in advance of incident detection,” said David Ruchman, chief technology officer at Powersolution.com, a New Jersey-based managed services provider.

But those mitigation measures are only a starting point.

“We believe best practices should be focused on the preventive measures, in addition to the remediation efforts after an intrusion,” Ruchman added. “Such measures include implementing standards and controls such as NIST, SANS and CIS. In addition, supporting IT infrastructures with highly qualified and trained IT security personnel is imperative.”

APT10 utilizes several components to compromise and navigate through target networks:

  • REDLEAVES: This component is a Remote Access Trojan (RAT) which operates primarily in memory to evade detection. Basic REDLEAVES functionality includes victim system enumeration, file search/deletion, screenshots, as well as data transmission. It utilizes and command and control (c2) that operates thru HTTP/HTTPS on ports 53, 80, 443 and 995.

  • UPPERCUT/ANEL: This is a backdoor Trojan used in spearphishing campaigns to deploy second-stage payloads such as credential harvesters. It’s reported that UPPERCUT is deployed using decoy Microsoft Word Documents that contain Visual Basic Macros to download further components. It’s also known to contain exploits for the CVE-2017-8759 and CVE-2017-1182 vulnerabilities.

  • CHCHES: This component is a RAT which communicates with C2 servers using HTTP Cookie headers. It’s noted that the primary method of compromise is thru spearphishing. The executable hides itself as a word document by using it’s the programs icon. CHCHES initially collects victim computer hostname; process identifier (PID); current working directory (%TEMP%); screen resolution; as well as kernel32.dll or explorer.exe version. This information is sent back to the attacker via their cookie based C2 infrastructure.

The FBI says any activity related to APT10 detected on a network should be considered an indication of a compromise requiring extensive mitigation and a call to law enforcement. 


Powersolution.com’s Abdul Hammad

However, the APT10 attacks are only just the beginning.

“Early last year, we noticed an uptick in cyberespionage campaigns from other countries,” said Abdul Hammad, Powersolution.com’s CISO. “This resulted in a heightened awareness of potential exploits by cybercriminals, which has been reinforced with the recent FBI APT 10 FLASH report.”

Perhaps one of the most troubling aspects of the APT10 attacks is how …

… unprepared some businesses are to deal with such cyberattacks, and a lack any type of standardization.


Alvaka Networks’ Oli Thordarson

“The APT10 activities are particularly troublesome as it attacks those charged with protecting information technology in the U.S.,” noted Oli Thordarson, CEO at Alvaka Networks. “If ever there was a time for IT service providers to double down on a structured framework like the NIST standards, that time is now.”

“Keys to preventive risk mitigation include enterprise-level layered security infrastructure and processes for small organizations, in addition to larger entities,” added Hammad. “Necessary layered security techniques include managed Unified Threat Management (UTM) firewalls; antivirus; DNS malware protection; email and hard disk encryption; and two-factor authentication — all configured and managed by qualified IT personnel.”

Technology, however, only seems to be part of the protection puzzle; proactive maintenance seems to be a key as well.

“Another point to be driven home based on the FBI report is the need for software patching and two factor authentication,” said Thordarson. “I am alarmed when I see how far behind most clients are on their patching duties. Sometimes they are years behind on some key servers and other devices. Just keeping up with patching and implementing two-factor authentication goes far, but I don’t mean to mitigate the need for additional layers of security protection for all firms.”

The question remains: With the ongoing government shutdown, will attacks grow in frequency and will cybersecurity issues take longer to identify and remediate? Simply put, MSPs should hope for the best, but prepare for the worst.

Read more about:


About the Author(s)

Frank J. Ohlhorst

IT Consultant, Editor-at-Large

Frank J. Ohlhorst is an award-winning technology journalist and technology analyst, with extensive experience as an IT business consultant, editor, author, presenter and blogger. He frequently advises and mentors technology startups and established technology ventures, helping them to create channel programs, launch products, validate product quality, design support systems, build marketing materials, as well as create case studies and white papers.

Mr. Ohlhorst also has extensive experience assisting businesses looking to launch analytics projects, such as big data, business intelligence and resource management. He also has taken on contract roles as a temporary CIO, CTO and data scientist for startups and new ventures. Mr. Ohlhorst also provides forensic services for data security and assist with compliance audits, as well as researching the implications of compliance on a given business model.

Mr. Ohlhorst also has held the roles of CRN Test Center director, eWeek’s executive editor, technology editor for Channel Insider, and is also a frequent contributor to leading B2B publications.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like