Chinese Hackers Exploit Visual Studio Code to Target European IT Providers

A suspected China-nexus cyber espionage group has been attributed to attacks targeting large business-to-business IT service providers in Southern Europe as part of a campaign codenamed Operation Digital Eye. The intrusions took place from late June to mid-July 2024, with cybersecurity companies SentinelLabs and Tinexta Cyber detecting and neutralizing the activities before they could progress to data exfiltration.

The campaign highlights a sophisticated approach to cyber espionage, with threat actors weaponizing VS Code tunnels as a command-and-control (C2) mechanism. This legitimate feature enables remote access to endpoints, allowing attackers to execute arbitrary commands and manipulate files with minimal detection risk.

Researchers Aleksandar Milenkoski and Luigi Martire revealed that the attackers employed a multi-stage infiltration strategy. The initial access was gained through SQL injection vulnerabilities in internet-facing applications and database servers, utilizing the automated penetration testing tool SQLmap to detect and exploit these weaknesses.

Following the initial breach, the hackers deployed a PHP-based web shell dubbed PHPsert, which enabled them to maintain a foothold and establish persistent remote access. The web shell's design includes sophisticated obfuscation techniques to evade detection, including XOR encoding and dynamic string construction.

The attack progression involved comprehensive reconnaissance, credential harvesting, and lateral movement across network systems. The threat actors utilized Remote Desktop Protocol (RDP) and pass-the-hash techniques, employing a custom-modified version of Mimikatz to execute processes within a user's security context by leveraging compromised NTLM password hashes.

A key innovation in this campaign was the abuse of Visual Studio Code Remote Tunnels. The attackers deployed a portable VSCode executable and configured it to create a persistent remote access tunnel. By authenticating through GitHub or Microsoft accounts, they could access compromised endpoints through the browser-based version of Visual Studio Code, effectively creating an almost invisible backdoor.

The infrastructure used in the attack was strategically located in Europe, primarily using M247 hosting services and Microsoft Azure. This approach was likely designed to blend malicious traffic with legitimate network activities and minimize suspicion.

Temporal analysis of the attack revealed that the operators were primarily active during typical working hours in China, mostly between 9 a.m. and 9 p.m. China Standard Time (CST). This pattern suggests a potentially state-sanctioned operation with structured working protocols.

While the exact Chinese hacking group remains unidentified due to extensive tool and infrastructure sharing among Chinese threat actors, several indicators point to a China-nexus origin. These include the presence of simplified Chinese comments in the PHPsert web shell, the use of specific infrastructure, and the deployment of custom tools previously associated with Chinese cyber espionage activities.

The campaign underscores the evolving sophistication of state-sponsored cyber espionage, demonstrating how threat actors can leverage legitimate development tools and cloud infrastructure to conduct stealthy, targeted operations. For organizations, this highlights the critical need for advanced detection mechanisms and a comprehensive approach to cybersecurity that goes beyond traditional perimeter defenses.

Cybersecurity experts emphasize the importance of continuous monitoring, robust authentication mechanisms, and heightened scrutiny of seemingly legitimate remote access tools to mitigate such advanced persistent threats.

You may also like these articles: