December 10, 2024 at 06:03AM
Chinese hackers nearly infiltrated critical European supply chain companies by disguising attacks within Microsoft tools during a three-week span. This operation, called “Operation Digital Eye,” involved SQL injections and the use of Visual Studio Code for persistent access, complicating attribution and demonstrating a sophisticated approach to cyber-espionage.
### Meeting Takeaways
1. **Chinese Cyber Threats**: Chinese hackers targeted critical European supply chain companies, exploiting vulnerabilities in B2B IT service providers, particularly in southern Europe, from late June to July.
2. **Operational Techniques**: These attackers disguised their activities using legitimate Microsoft tools (Visual Studio Code and Azure) to hide their malicious actions and evade detection.
3. **Campaign Name**: The campaign has been named “Operation Digital Eye,” which utilized SQL injections and PHP Web shells for initial access.
4. **Malware Intricacies**:
– The attackers used a digitally signed executable (“code.exe”) associated with Visual Studio Code to maintain backdoor access.
– Leveraged VS Code’s Remote Tunnels feature for remote code execution and file manipulation, enriching their operational capability while appearing legitimate.
5. **Infrastructure Usage**: The attackers effectively used public cloud infrastructure in Western Europe to mask malicious activities, making their traffic less suspicious to security measures.
6. **Attribution Challenges**: The malware employed, particularly a modified version of Mimikatz called “bK2o.exe,” complicates attribution to specific threat actors, as it shares characteristics with various Chinese APT groups.
7. **Vendor Collaboration**: There is evidence suggesting that several Chinese cyber threat groups may be sharing tools and resources, enhancing their operational efficacy in cyber-espionage activities.
### Action Items
– **Increased Vigilance**: Strengthen monitoring for unusual traffic patterns associated with Microsoft tools among client infrastructures.
– **Security Assessments**: Conduct assessments of security protocols to identify and mitigate potential vulnerabilities, particularly against SQL injection attacks.
– **Threat Intelligence Sharing**: Encourage collaboration with cybersecurity vendors to share intelligence regarding these evolving threats and toolsets.
### Next Steps
– Schedule a follow-up meeting to discuss updated cybersecurity strategies in response to these findings.
– Review current cybersecurity measures and provide training focused on recognizing sophisticated attack vectors similar to Operation Digital Eye.