Operation Cloud Hopper: What You Need to Know

Security researchers recently uncovered a pervasive cyberespionage campaign by a group known as “APT10” (a.k.a. MenuPass, POTASSIUM, Stone Panda, Red Apollo, and CVNX). The attacks were leveled against managed IT service providers, which the group used as intermediaries to get their hands on their target’s corporate assets and trade secrets. Here’s what you need to know about this latest threat and how organizations can mitigate it: 

Who are affected?

The campaign has impacted organizations in North America, Europe, South America, and Asia—and most recently managed service providers (MSPs) in: United Kingdom (U.K.), United States (U.S.), Japan, Canada, Brazil, France, Switzerland, Norway, Finland, Sweden, South Africa, India, Thailand, South Korea, and Australia.

The MSPs, which managed the victims’ application, network, and system infrastructure, were compromised in order to infiltrate the networks of their actual targets: the MSPs’ clients. The industries affected include those in engineering, industrial manufacturing, retail, energy, pharmaceuticals, telecommunications, and government agencies. 

[READ: Six Stages of Targeted Attacks]

How did they compromise MSPs?

Reports indicate that the campaign employed several malware including several iterations of remote access Trojans (RATs) including old but notorious families like PlugX, Poison Ivy, ChChes, and Graftor (detected by Trend Micro as BKDR_PLUGX, BKDR_POISON,BKDR_CHCHES, and TROJ_GRAFTOR respectively). Operation Cloud Hopper is also known to employ dropper Trojans such as ARTIEF (TROJ_ARTIEF) along with malicious files (TROJ_FAKEMS) that imitate signatures or properties of a legitimate Microsoft file, as well as Microsoft Office documents that contain malicious codes that exploit system vulnerabilities. Trend Micro’s initial analysis and detections reveal over 70 variants of backdoor families and Trojans were involved in this campaign. 

These malware were delivered through spear-phishing emails that targeted APT10’s MSPs of interest, posing as a legitimate organization like a public sector agency. To maintain their foothold on the infected system, the group employed tools that stole legitimate credentials (with administrator privileges) used to access the MSP and its client’s shared system/infrastructure. This is also what the group uses to laterally move and gain further access to the MSP’s client’s network. The attack schedules tasks or leverages services/utilities in Windows to persist in the systems even if the system is rebooted. 

APT10 didn’t just infect high-value systems. It also installed malware on non-mission-critical machines which it would then use to move laterally into their targeted computers—a subterfuge to prevent rousing suspicion from the organization’s IT/system  administrators. APT10 is noted to use open-source malware and hacking tools, which they’ve customized for their operations, and furtively access the systems via Remote Desktop Protocol or use RATs to single out which data to steal. 

These pilfered data are then collated, compressed, and exfiltrated from the MSP’s network to the infrastructure controlled by the attackers.

[READ: How will threat actors come up with new tactics for their targeted attacks?]

What can be done?

Operation Cloud Hopper highlights the ever-evolving cyberespionage landscape, with the connectivity between MSPs and its customers now being used as an attack vector. For enterprises, it also underscores the significance of carefully assessing and validating the risks entailed when third-party infrastructures are integrated into business processes. MSPs shouldn't just streamline how their client’s system infrastructure is managed; as Operation Cloud Hopper showed, MSPs must also balance its efficiency and the need to secure it—be it hosted email or cloud applications.

Apart from keeping systems up-to-date, both MSPs and enterprises should take defensive measures to mitigate these kinds of threats, including having proactive incident response measures. IT/system administrators can employ data categorization in order to mitigate the damage of a breach or protect the company’s core data in case they are exposed. Network segmentation can help protect networks by limiting privileges and access to sensitive data and corporate networks, consequently making lateral movement more difficult for attackers. Given how spear-phishing emails are Operation Cloud Hopper’s points of entry, fostering a culture of cybersecurity in the workplace is also a must—particularly against email-based threats.

Trend Micro Solutions:

Trend MicroDeep Discovery™ provides detection, in-depth analysis, and proactive response to today’s stealthy malware and targeted attacks in real-time. It provides a comprehensive defense tailored to protect organizations against targeted attacks and advanced threats through specialized engines, custom sandboxing, and seamless correlation across the entire attack lifecycle, allowing it to detect threats, like those employed by Operation Cloud Hopper, even without any engine or pattern update.

Trend Micro’s Hybrid Cloud Security solution, powered by XGen™ security and features Trend Micro™ Deep Security™, delivers a blend of cross-generational threat defense techniques that have been optimized to protect physical, virtual, and cloud workloads/servers.

Trend Micro’s Managed Service Provider program provide MSPs the benefits of automated security management as well as on-premises security solutions that can be efficiently integrated industry standard application deployment platforms.  

TippingPoint customers are protected from these attacks via this ThreatDV filter:
ThreatDV 27813: TCP: Backdoor.Win32.Redleavy.A (RedLeaves) Checkin

HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.

Posted in Cyber Attacks