DarkHotel hackers breach Chinese government agencies using VPN zero-day vulnerabilities

DarkHotel hackers, a group believed to be from Korean peninsula, have launched a massive hacking operation at Chinese government agencies and their employees. Attacks believed to be related to the current COVID-19 outbreak, began last month, in March. 

The invasions were detected by Chinese security-firm Qihoo 360, stated that 200+ VPN servers were hacked by the hackers using zero-day vulnerability in Sangfor SSL VPN servers, used to provide remote access to enterprise and government networks. Targets included government agencies in Beijing and Shanghai and Chinese diplomatic missions abroad. 

As per a report published by Qihoo, the entire attack chain was sophisticated and very clever. Hackers used the zero-day to gain control over Sangfor VPN servers, where they replaced a file named SangforUD.exe with a boobytrapped version.

  The group has also been seen using zero-days for the Firefox and Internet Explorer browsers to target government entities in China and Japan

Qihoo said it reported the zero-day vulnerability to Sangfor on April 3. Only Sangfor VPN servers running firmware versions M6.3R1 and M6.1 were vulnerable and have been confirmed to be compromised using the zero-day used by DarkHotel

Sangfor said that patches are available for the current version of its SSL VPN server, and for the older versions. and they also plan to release a script to detect if hackers have compromised VPN servers, and a second tool to remove files deployed by DarkHotel.