Summary:
A suspected China-linked cyber espionage group targeted major business-to-business IT service providers in Southern Europe as part of a campaign known as Operation Digital Eye, according to a joint report by SentinelOne SentinelLabs and Tinexta Cyber. The attacks, which occurred between late June and mid-July 2024, were detected and neutralized before any data exfiltration could take place. The threat actors exploited legitimate tools, such as Visual Studio Code Remote Tunnels and Microsoft Azure infrastructure, to establish command-and-control channels, disguising malicious activity as legitimate network traffic. Initial access was achieved through SQL injection attacks, facilitated by the penetration testing tool SQLmap, followed by the deployment of a PHP-based web shell, PHPsert, for persistence. Further steps included credential harvesting, lateral movement via Remote Desktop Protocol, and pass-the-hash attacks using a custom-modified version of Mimikatz, known as mimCN.

Security Officer Comments:
Attribution to a specific Chinese hacking group remains unclear, complicated by shared toolsets and infrastructure commonly observed in Chinese cyber operations. Indicators linking the campaign to China include overlaps in source code with prior Chinese campaigns (Operation Soft Cell and Operation Tainted Love), simplified Chinese language comments in PHPsert, and evidence of activity during standard working hours in China. Additionally, the attackers utilized Romanian hosting infrastructure and leveraged trusted tools, such as Visual Studio Code, to disguise their activities. The use of GitHub accounts to authenticate and access Visual Studio Code Remote Tunnels further underscores their reliance on legitimate platforms to evade detection.

Suggested Corrections:

IOCs:
https://www.sentinelone.com/labs/op...nfrastructure-via-visual-studio-code-tunnels/

Organizations can make APT groups’ lives more difficult. Here’s how:

• Defense-in-depth strategy: A comprehensive defense-in-depth strategy is crucial to combat APTs. This includes implementing multiple layers of security controls, such as strong perimeter defenses, network segmentation, endpoint protection, intrusion detection systems, data encryption, access controls, and continuous monitoring for anomalies.
• Threat intelligence and sharing: Ideally, organizations should actively participate in threat intelligence sharing communities and collaborate with industry peers, government agencies, and security vendors. Sharing information about APTs and their techniques can help detect and mitigate attacks more effectively.
• Employee education and awareness: Regular security awareness programs, phishing simulations, and training sessions can educate employees about the latest threats, social engineering techniques, and safe computing practices.
• Incident response and recovery: Despite preventive measures, organizations should have a well-defined incident response plan. This includes incident detection, containment, eradication, and recovery procedures to minimize the impact of APT attacks and restore normal operations.

Link(s):
https://www.bleepingcomputer.com/ne...visual-studio-code-tunnels-for-remote-access/

https://www.sentinelone.com/labs/op...nfrastructure-via-visual-studio-code-tunnels/