Story image

Norwegian security firm thwarts state-sponsored attack by APT10

11 Feb 2019

Norwegian cybersecurity firm Visma is accusing a Chinese state-sponsored attack group (APT10) of allegedly attacking their systems and engaging in cyberespionage.

Visma, in partnership with fellow security firms Recorded Future and Rapid7, investigated a cyberespionage campaign that targeted organisations in the United States and Europe between November 2017 and September 2018.

One of the targeted companies was Visma itself, as well as a US law firm and an international apparel company. Visma’s own intelligence systems warned the company that it was about to be attacked.

The attackers gained access to networks through deployments of Citrix and LogMeIn remote-access software using stolen valid user credentials,” Recorded Future explains.

“The attackers then enumerated access and conducted privilege escalation on the victim networks, utilizing DLL sideloading techniques documented in a US-CERT alert on APT10 to deliver Trochilus malware.”

While the firm mitigated the threat and no systems were affected in the attack, the company says that in the name of transparency, it must share information about the attack.

APT10, also known as Stone Panda, menuPass, and CVNX, is a group with ties to Chinese state-sponsored threat actors. It has been operating since at least 2009 and is thought to be associated with the Chinese Ministry of State Security, according to Recorded Future.

"We have several teams of security professionals in Visma that use efficient systems and methods to protect our systems from being breached. Through the existing security programs, coordinated response of our security teams and good advice from our partners, we were able to prevent client data from being compromised," comments Visma operations and security manager, Espen Johansen.

Visma worked with Recorded Future to conduct further analysis on the origin of the attacks, gather intelligence, and ensure correct attribution.

Visma’s Corporate Security Incident Response Team also worked with its Product Security Operations Center, NSM NorCERT, and police. 

“In this case, no client data was compromised, and Visma chose not to issue a general alert before they had conclusive evidence on who performed the theft,” the company says.

The company also believes that sharing information on attacks contributes to public awareness and motivates other companies to do the same.

"As a general rule, we always report cyber attacks to the police – it is our responsibility as a corporation and our responsibility towards our clients. We are very thankful for the guidance and advice from NSM NorCERT, Police (PST), and other cooperating parties in this case,” says Johansen.

“We urge all organisations to explore the opportunities that are available in CERT cooperation.”

Veeam releases v3 of its MS Office backup solution
One of Veeam’s most popular solutions, Backup for Office 365, has been upgraded again with greater speed, security and analytics.
Too many 'critical' vulnerabilities to patch? Tenable opts for a different approach
Tenable is hedging all of its security bets on the power of predictive, as the company announced general available of its Predictive Prioritisation solution within
Industrial control component vulnerabilities up 30%
Positive Technologies says exploitation of these vulnerabilities could disturb operations by disrupting command transfer between components.
McAfee announces Google Cloud Platform support
McAfee MVISION Cloud now integrates with GCP Cloud SCC to help security professionals gain visibility and control over their cloud resources.
Scammers targeting more countries in sextortion scam - ESET
The attacker in the email claims they have hacked the intended victim's device, and have recorded the person while watching pornographic content.
Cryptojacking and failure to patch still major threats - Ixia
Compromised enterprise networks from unpatched vulnerabilities and bad security hygiene continued to be fertile ground for hackers in 2018.
Princeton study wants to know if you have a smart home - or a spy home
The IoT research team at Princeton University wants to know how your IoT devices send and receive data not only to each other, but also to any other third parties that may be involved.
Organisations not testing incident response plans – IBM Security
Failure to test can leave organisations less prepared to effectively manage the complex processes and coordination that must take place in the wake of an attack.