Attack On European IT Organization By Operation Digital Eye.
In Order to Conduct A Supply - Chain Based Espionage Assault, A Chinese Threat Actor used A Bring - Your - Own - VS Code To Access Multiple IT And Security Organizations.
By hiding their destructive activities behind Native Microsoft technologies, Chinese hackers nearly gained access to vital European supply chain organizations. According to sentinellabs researchers, it took place over the course of three weeks, from June to July. With the alleged intention of downstream supply chain espionage, a threat actor associated with China's vibrant and diverse cyber attack scene targeted major business - to - business ( B2B ) IT service providers across southern Europe, including cybersecurity vendors and providers of data and infrastructure solutions.
The attackers concealed their destructive activity behind common place business tools like Microsoft Azure and Visual Studio code in order to get access to these IT vendors around the continent to which they had privileged access. Additionally, they employed the same tactics, methods, procedures ( TTPs ), and tooling seen in several other known Chinese threat actors in order to muddle attribution.
MICROSOFT - BASED MALWARE
The effort, which the researchers called " Operation Digital Eye," started with SQL injections against database and web servers that were exposed to the internet. In order to avoid triggering any red flags, the attackers then dropped PHP web shells with file names specifically adapted to the target's environment credential theft, lateral movement, and reconnaissance came next.
However, the attack's high point was harmlessly disguised as " Code.exe." Each victim was given a portable copy of visual studio code ( VS Code ), which was digitally signed by Microsoft and operated as a service wrapper. The most widely used integrated development environment ( IDE ) among novice and experienced developers is visual studio code, a free and open source editor created by Microsoft.
It is evident that they took advantage of this possible obstacle by using Western European Public cloud infrastructure to make their otherwise suspicious communications appear more authentic and more likely to avoid detection by security solutions. According to the researchers, network traffic from VS code and Azure typically evades close examination because it is permitted by fire wall rules and application controls.
" Combined with and application controls provides, this makes visual studio code tunneling an attractive and powerful capability for threat actors to exploit, " they stated.