China-Sponsored Attackers Target 40K Corporate Users in 90 Days

Three novel credential-phishing campaigns have emerged from state-sponsored actors that have compromised at least 40,000 corporate users — including top-level executives — in just three months' time, researchers have found.

The attacks target a range of industries and enter corporate environments through browsers, allowing them to get past network infrastructure security controls and cloud network services and demonstrating an evolution in capabilities on the part of adversaries, according to researchers from Menlo Security who discovered them.

The campaigns — called LegalQloud, Eqooqp, and Boomer — are characterized by their deployment of what the researchers call highly evasive and adaptive threat (HEAT) attack techniques that can circumvent controls such as multifactor authentication (MFA) and URL filtering.

Tactics used by the campaigns include bypassing MFA and using phishing kits and adversary-in-the-middle (AitM) tactics to take over user sessions; impersonating entities, primarily Microsoft, familiar to or associated with the organizations targeted; and using dynamic phishing links that make it hard for filtering technologies to track and thus detect.

"These are challenging new tactics, and security practitioners must augment controls and take care to address them immediately," according to the report. "These sophisticated attacks magnify concerns about the effectiveness of traditional network security controls such as secure service Edge (SSE), secure Web gateways (SWG), and endpoint detection and response (EDR)."

State-Sponsored Actors Get Aggressive

The campaigns are aimed exclusively at credential phishing, with evidence to connect them to China-sponsored threat actors who are targeting the US and private enterprise in "aggressive cyber espionage efforts, posing an alarming risk to national security and pilfering innovation," according to the report. However, though researchers have established some attribution to a group previously tracked by Microsoft as Storm-1101/DEV-1101 — known for its development of AitM tactics that are used in the campaigns — it's not entirely clear exactly to which nation the attacks are linked.

All told, the campaigns targeted more than 3,000 unique domains across more than 10 industries and government institutions, and six out of 10 malicious links that users clicked on were connected to some kind of phishing campaign or fraud, with one of four of phishing links getting past legacy URL filtering, the researchers found.

Overall, this activity demonstrates how "nation-state cyber actors are constantly refining their methods to make their attacks more sophisticated and adaptable," notes Patrick Tiquet, vice president, security and architecture, at Keeper Security. This, in turn, means enterprises must accept that "adapting cybersecurity strategies is an ongoing process that demands flexibility and agility," he says.

Specific Credential-Stealing Campaigns

Though the campaigns have similarities, each has its own unique set of targets and tactics, all with the ultimate goal of extracting credentials from corporate users for further malicious purposes, primarily cyber-espionage.

LegalQloud, so-named because it impersonates legal firms to steal Microsoft credentials, targeted 500 enterprises in 90 days and is exclusively hosted on Tencent Cloud, which is from the largest Internet company in China. This hosting enables the URLs to bypass traditional categorization and allow-list controls, the researchers said.

Eqooqp has been targeting multiple government and private sector organizations — including logistics, finance, petroleum, manufacturing, higher education, and research firms — with AitM attacks that can defeat MFA. Menlo found nearly 50,000 attacks associated with the campaign, which uses malicious HTML attachments or links to pages that mimic Microsoft to phish credentials.

Another phishing campaign, Boomer, is especially intricate, targeting the government and healthcare sectors with advanced evasive techniques that include dynamic phishing sites, custom HTTP headers, tracking cookies, bot-detection countermeasures, encrypted code, and server-side generated phishing pages.

"Boomer uses server-side generated phishing pages for rapid campaign deployment and modification, enhancing the campaign’s ability to evade traditional security tools, indicating a higher level of skill," according to the report. "Boomer also includes properly configured security headers, such as X-XSS-Protection, and uses legitimate libraries, like Font Awesome for icons."

The campaign's Web application also employs a hidden iframe that's designed to detect bots and scan automation as a further advanced evasion tactic, the researchers found.

Demand for Stronger Defense

What all this amounts to is that organizations continue to have their work cut out for them to keep up with the evolving nature of attacks, especially from well-resourced state-sponsored actors, security experts say.

AitM attacks in particular — in which attackers deploy a proxy server between a target user and the website the user wishes to visit — "are the future of cybercrime," notes one security expert, and will be a particular thorn in the side of organizations' security strategies going forward.

"[They] are extremely effective and much harder to trace and prevent compared to traditional social engineering attacks," says Mika Aalto, co-founder and CEO at human risk management platform firm Hoxhunt.

And while they historically have been technically difficult to achieve for attackers, their recent prevalence shows that threat actors are quickly navigating this barrier, which will bring on "a wave of serious breaches from AitM-integrated credential harvesters, BECs, and ransomware," he says.

"The bottom line is, you have to accept that some attacks will get through to your users and thus you must do your best to prepare them for that fateful moment," Aalto says. "Security awareness and phishing training must keep pace with the latest threats so that people understand AitM and dynamic phishing, and they know how to spot these attacks and stay safe. Indeed, as cybersecurity is now a matter of national security and not just about protecting an organization's own data, it must be treated with the highest priority," Tiquet observes.

This requires organizations to embrace a zero-trust framework that "must evolve alongside technological advancements, workflow changes and shifts in the threat landscape," Tiquet says, and be continually refined and adapted "to ensure it remains effective in mitigating risks and protecting sensitive information."