Cybersecurity researchers from the Symantec Threat Hunter Team have linked a major espionage campaign with the Chinese APT group Cicada (also known as APT10, Stone Panda, Potassium, Bronze Riverside and the MenuPass team). The cyberattacks began in mid-2021 and continued until February 2022.
“The victims of the Cicada campaign were governmental, legal, religious and non—governmental organizations in many countries of the world, including in Europe, Asia and North America,” the experts said.
Most of the attacked organizations are located in the USA, Canada, Hong Kong, Turkey, Israel, India, Montenegro and Italy, along with one victim in Japan. According to experts, in some cases hackers have been in the victim’s networks for nine months.
In March 2021, researchers from Kaspersky Lab revealed an information-gathering operation undertaken by the group to install implants in a number of industries located in Japan. Then in February of this year APT was involved in an organized attack on the supply chain of the financial sector of Taiwan in order to steal confidential information from compromised systems.
A new series of attacks recorded by Symantec begins with obtaining initial access using an uncorrected vulnerability in Microsoft Exchange servers. Its operation allows cybercriminals to install a SodaMaster backdoor. SodaMaster is a Trojan for remote access for Windows systems, capable of stealing useful data and transmitting it back to the command server.
Other criminals’ tools include the Mimikatz credential dump utility, the NBTScan tool for internal intelligence, WMIExec for remote command execution, and VLC Media Player for running a custom bootloader on an infected host.