December 10, 2024 at 07:48AM
Chinese hackers are utilizing Visual Studio Code tunnels to maintain persistent remote access to compromised IT service providers in Southern Europe, in a campaign dubbed ‘Operation Digital Eye.’ Initiating access through SQL injection and employing various techniques, these activities were detected by SentinelLabs, raising alarms about this emerging threat.
### Meeting Takeaways: Operation Digital Eye
– **Target**: Chinese hackers are exploiting vulnerabilities in large IT service providers across Southern Europe.
– **Methodology**: The attackers are utilizing Visual Studio Code (VSCode) tunnels to facilitate persistent remote access to compromised systems, leveraging Microsoft’s Remote Development feature.
– **Execution**:
– Initial access was gained through SQL injection using the tool ‘sqlmap’.
– Following access, a PHP webshell (PHPsert) was deployed for remote command execution.
– Attackers performed lateral movement using RDP and a modified version of Mimikatz.
– **Configuration**: A portable version of VSCode (‘code.exe’) was set as a persistent Windows service, allowing for continuous remote connections via a web interface.
– **Activity Pattern**: Attackers were most active during standard working hours in China, indicating a routine operational schedule.
– **Detection**: SentinelLabs and Tinexta Cyber identified and blocked the operation early on. The campaign occurred between June and July 2024 and is referred to as ‘Operation Digital Eye’.
– **Threat Actor**: Evidence suggests possible involvement of STORM-0866 or Sandman APT, though the specific group remains unidentified.
– **Recommendations for Defense**:
– Monitor for unusual VSCode launches and restrict remote tunneling to authorized users.
– Implement allowlisting to prevent unauthorized execution of portable files like ‘code.exe’.
– Inspect Windows services for ‘code.exe’ and check network logs for unexpected connections to domains such as *.devtunnels.ms.
– **Related Activities**: Previous reports noted other groups, like ‘Stately Taurus’, have used similar methods, but at this time, there is no evidence linking the two operations.
**Action Items**:
1. Increase monitoring protocols on VSCode usage within the organization.
2. Review and tighten access controls on remote development tools.
3. Conduct a security audit of Windows services for any unauthorized configurations.