| Category | Details |
|---|---|
| Threat Actors | Suspected China-nexus cyber espionage group; no specific attribution to a known group, but tactics align with groups like Mustang Panda. |
| Campaign Overview | Operation Digital Eye targeted large business-to-business IT service providers in Southern Europe, aiming to compromise systems and establish footholds for downstream access. |
| Target Regions | Southern Europe; focus on IT service providers. |
| Methodology | SQL injection for initial access; use of Visual Studio Code Remote Tunnels for C2; deployment of a PHP-based web shell (PHPsert); lateral movement using pass-the-hash techniques and RDP; custom Mimikatz variant (mimCN) for credential harvesting. |
| Product Targeted | Microsoft Visual Studio Code, SQL-based applications, and databases; infrastructure like Microsoft Azure and GitHub accounts. |
| Malware Reference | PHPsert web shell, custom Mimikatz variant (mimCN). |
| Tools Used | SQLmap for SQL injection, custom Mimikatz (mimCN), Visual Studio Code Remote Tunnels, GitHub-based authentication for C2, RDP for lateral movement. |
| Vulnerabilities Exploited | SQL injection flaws in internet-facing applications and database servers. |
| TTPs | – Weaponization of legitimate tools (e.g., Visual Studio Code, SQLmap). – Abuse of public cloud infrastructure for C2. – Credential harvesting via pass-the-hash. – Custom tooling maintained by a shared vendor (mimCN). |
| Attribution | Likely associated with the Chinese APT ecosystem based on tool overlap, shared code-signing certificates, and working hours aligning with China’s CST timezone (9 a.m.–9 p.m.). |
| Recommendations | – Patch SQL injection vulnerabilities. – Monitor for unusual use of Visual Studio Code Remote Tunnels. – Detect lateral movement techniques like RDP and pass-the-hash. – Use threat intelligence to identify custom toolsets like mimCN. – Employ proactive endpoint monitoring. |
| Source | The Hackers News |
Read full article: https://thehackernews.com/2024/12/hackers-weaponize-visual-studio-code.html
Disclaimer: The above summary has been generated by an AI language model
Leave a Reply