Story image

Norwegian security firm thwarts state-sponsored attack by APT10

11 Feb 2019

Norwegian cybersecurity firm Visma is accusing a Chinese state-sponsored attack group (APT10) of allegedly attacking their systems and engaging in cyberespionage.

Visma, in partnership with fellow security firms Recorded Future and Rapid7, investigated a cyberespionage campaign that targeted organisations in the United States and Europe between November 2017 and September 2018.

One of the targeted companies was Visma itself, as well as a US law firm and an international apparel company. Visma’s own intelligence systems warned the company that it was about to be attacked.

The attackers gained access to networks through deployments of Citrix and LogMeIn remote-access software using stolen valid user credentials,” Recorded Future explains.

“The attackers then enumerated access and conducted privilege escalation on the victim networks, utilizing DLL sideloading techniques documented in a US-CERT alert on APT10 to deliver Trochilus malware.”

While the firm mitigated the threat and no systems were affected in the attack, the company says that in the name of transparency, it must share information about the attack.

APT10, also known as Stone Panda, menuPass, and CVNX, is a group with ties to Chinese state-sponsored threat actors. It has been operating since at least 2009 and is thought to be associated with the Chinese Ministry of State Security, according to Recorded Future.

"We have several teams of security professionals in Visma that use efficient systems and methods to protect our systems from being breached. Through the existing security programs, coordinated response of our security teams and good advice from our partners, we were able to prevent client data from being compromised," comments Visma operations and security manager, Espen Johansen.

Visma worked with Recorded Future to conduct further analysis on the origin of the attacks, gather intelligence, and ensure correct attribution.

Visma’s Corporate Security Incident Response Team also worked with its Product Security Operations Center, NSM NorCERT, and police. 

“In this case, no client data was compromised, and Visma chose not to issue a general alert before they had conclusive evidence on who performed the theft,” the company says.

The company also believes that sharing information on attacks contributes to public awareness and motivates other companies to do the same.

"As a general rule, we always report cyber attacks to the police – it is our responsibility as a corporation and our responsibility towards our clients. We are very thankful for the guidance and advice from NSM NorCERT, Police (PST), and other cooperating parties in this case,” says Johansen.

“We urge all organisations to explore the opportunities that are available in CERT cooperation.”

Oracle updates enterprise blockchain platform
Oracle’s enterprise blockchain has been updated to include more capabilities to enhance development, integration, and deployment of customers’ new blockchain applications.
Used device market held back by lack of data security regulations
Mobile device users are sceptical about trading in their old device because they are concerned that data on those devices may be accessed or compromised after they hand it over.
Gartner names ExtraHop leader in network performance monitoring
ExtraHop provides enterprise cyber analytics that deliver security and performance from the inside out.
Symantec acquires zero trust innovator Luminate Security
Luminate’s Secure Access Cloud is supposedly natively constructed for a cloud-oriented, perimeter-less world.
Palo Alto releases new, feature-rich firewall
Palo Alto is calling it the ‘fastest-ever next-generation firewall’ with integrated cloud-based DNS Security service to stop attacks.
Facebook fights fake news ahead of Africa elections
“We also show related articles from fact-checkers for more context and notify users if a story they have shared is rated as false.”
The right to be forgotten online could soon be forgotten
Despite bolstering free speech and access to information, the internet can be a double-edged sword, because that access to information goes both ways.
Opinion: 4 Ransomware trends to watch in 2019
Recorded Future's Allan Liska looks at the past big ransomware attacks thus far to predict what's coming this year.