The BfV (Bundesamt für Verfassungsschutz) German domestic intelligence services warn of continuous attacks orchestrated by the Chinese-backed hacker group APT27. The attackers are employing the HyperBro remote access trojans (RAT) to backdoor the networks of German business enterprises in this aggressive campaign.
By operating as an in-memory backdoor with remote administration capabilities, HyperBro aids threat actors in maintaining persistence on the victims’ networks. According to the agency, the threat group’s purpose is to steal critical information and target its victims’ consumers in supply chain attacks.
“The Federal Office for the Protection of the Constitution (BfV) has information about an ongoing cyber espionage campaign by the cyber attack group APT27 using the malware variant HYPERBRO against German commercial companies,” as said by the BfV.
“It cannot be ruled out that the actors, in addition to stealing business secrets and intellectual property, also try to infiltrate the networks of (corporate) customers or service providers (supply chain attack).”
Indicators of compromise (IOCs) and YARA rules were also issued by the BfV to assist targeted German enterprises in detecting HyperBro infections and connections to APT27 command-and-control (C2) servers. APT27 (aka TG-3390, Emissary Panda, BRONZE UNION, Iron Tiger, and LuckyMouse) is a Chinese-backed threat organization that has been active since at least 2010. It is noted for its concentration on data theft and cyberespionage.
According to the German spy agency, APT27 has been exploiting vulnerabilities in Zoho AdSelf Service Plus software, an enterprise password management solution for Active Directory and cloud apps, since March 2021. This is consistent with prior indications that Zoho ManageEngine installations would be the target of many attacks in 2021, coordinated by nation-state hackers using techniques and tools similar to those used by APT27.
They exploited an ADSelfService zero-day exploit until mid-September, then moved to an n-day AdSelfService attack until October 25, when they began exploiting a ServiceDesk flaw. According to Palo Alto Networks experts, they effectively infiltrated at least nine companies from vital industries worldwide, including defense, healthcare, energy, technology, and education.
In response to these attacks, the FBI and CISA released joint alerts (1, 2) about APT actors using ManageEngine weaknesses to dump web shells on the networks of penetrated critical infrastructure organizations.