Darkhotel exploits zero-day in VPN to attack China assets

News by Mark Mayne

North Korean hacking group accused of sophisticated campaign against global Chinese government interests

A series of attacks that exploit a zero-day vulnerability in a Chinese VPN provider called SangFor have been attributed to the DarkHotel APT by Chinese security researchers.

More than 200 Sangfor SSL VPN servers had been hacked in the campaign, which began in March 2020, impacting on Chinese agencies in the UK, Italy, and across the globe, wrote researchers from Qihoo 360. 

The researchers claimed that the campaign has been timed to exploit increased reliance on remote working caused by the Covid-19 pandemic to compromise the VPN company, used by several Chinese governmental agencies. 

The zero-day vulnerability exists in an update that is triggered automatically when the VPN client starts to connect to the server, said the report. The client will obtain an update from the configuration file at a fixed location on the connected VPN server, and download a program called SangforUD.exe.

“The client compares the version of the update program without doing any other security checks. This leaves a security flaw that the hackers can tamper the update configuration file and replace the update program after hacking the VPN server. Then, the hackers can allocate backdoor to the user devices without obstacle,” said the report.

The researchers also pointed out that the “server version of the attacked domestic VPN vendor was XXX. R1. This version was released in 2014, which is very old and contains a lot of security vulnerabilities, it added.

VPNs have become something of a target of late, Javvad Malik, security awareness advocate at KnowBe4, told SC Media UK. 

"In recent months, there have been a number of flaws reported in VPN providers. It was also revealed that some nation-state actors were actively seeking such vulnerable VPNs in order to gain a foothold into organisations. It's an ironic twist whereby a security tool itself is leveraged by the criminals to gain access into an organisation. Fortunately patches for these vulnerabilities exist, and with more staff working remotely these days and therefore using the VPN, patching these systems and ensuring the security of corporate data should be of utmost importance."

The DarkHotel group was identified back in 2014 by Kaspersky researchers, and became notorious for targeting diplomats via Wi-Fi networks at luxury hotels, as well as maintaining an arsenal of zero-day exploits. Previous campaigns linked to the group have targeted China, North Korea, Japan and the US.

"If we accept that Qihoo has correctly attributed this activity to Dark Hotel, and that Dark Hotel is a North Korean actor, this report presents a few interesting findings,” said Richard Bejtlich, principal security strategist at Corelight.

“First, it is surprisingly risky for a North Korean actor to target assets in an allied country, especially one that provides financial and other critical support. Second, Qihoo would not be able to publish and maintain its findings without the approval of the Chinese government, so the PRC might be signalling its disapproval to the DPRK. Third, a combined approach that integrates server-side and client-side techniques, at the scale indicated by Qihoo, is a sign that the DPRK has improved its offensive asset management capabilities."

Bejtlich is not alone in registering some surprise at the Qihoo 360 researchers’ attribution. Kaspersky security researcher Brian Bartholomew took a blunt tone in his tweet on the report.

“This write up is full of speculation, no evidence this was actually DatkHotel, and a ton of confirmation bias about targeting because of Covid. Not saying they’re wrong, but in the future, there needs to be more supporting data to support claims,”

<blockquote class="twitter-tweet"><p lang="en" dir="ltr">I’m going to be a bit blunt here. This write up is full of speculation, no evidence this was actually DatkHotel, and a ton of confirmation bias about targeting because of Covid. Not saying they’re wrong, but in the future, there needs to be more supporting data to support claims <a href="https://t.co/2K1ajklUwp">https://t.co/2K1ajklUwp</a></p>&mdash; Brian Bartholomew (@Mao_Ware) <a href="https://twitter.com/Mao_Ware/status/1247137793266061312?ref_src=twsrc%5Etfw">April 6, 2020</a></blockquote> <script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script>

Matt Walmsley, EMEA Director at Vectra, told SC Media UK that British firms might expect less of an impact from this particular campaign, but that lessons could still be learned. 

“Exploiting VPN equipment vulnerabilities is nothing new, although using the equipment VPN client update service is a somewhat interesting propagation method. That this is centred on a Chinese vendor’s equipment and PRC targets is more unusual, and so will likely mean it has lesser impact to UK organisations,” he said. 

“More than ever, organisations need visibility into their remote users’ VPN connections and behaviours in order to answer questions such as, ‘How many of my remote employees may have been logged in on multiple devices?’ ‘Are those devices corporately managed?’ ‘Where is the risk of credential sharing?’.”

By gaining this visibility, organisations can understand their exposure, and take steps to manage risk, such as automating the detection and response to attacker behaviour and privilege abuse, he explained. 

“Keeping your VPN equipment’s software patching up to date is critical too!” 

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews