An intelligence service has released an advisory regarding an ongoing campaign by a Chinese-sponsored hacking group called APT27 that has been eyeing several commercial organisations in Germany.
The threat group utilises a HyperBro remote access trojan (RAT) to intrude on their targeted networks. The RAT behaves as an in-memory backdoor with remote administration features and capabilities.
Experts also believe that the campaign’s primary objective conducted by APT27 is to exfiltrate sensitive and critical information and target victims’ customers in supply chain attacks. Furthermore, the threat group may attempt to intrude on the networks of corporate clients, which might result in a wider cybercriminal campaign.
The intelligence agency has also published YARA rules and IOCs to aid targeted German entities to check for any infection or intrusions conducted by the threat actors.
Researchers disclosed that the APT27 group had exploited Zoho ADSelf Service Plus software vulnerabilities since March last year.
From March to September last year, the Chinese APT group utilised an ADSelfService zero-day exploit tracked as CVE-2021-40539. The threat actors will then switch to control and n-day AdSelfService use before finally transitioning to ServiceDesk vulnerability, followed by CVE-2021-44077 from mid-October last year to the present day.
The APT27 group had also abused the ManageEngine flaws to spread web shells on critical infrastructure organisations and associated with campaigns exploiting critical ProxyLogon weaknesses in March last year.
The researchers also noted that APT27 compromised approximately nine firms from essential sectors worldwide, such as education, technology, energy, defence, military, and healthcare.
Although no connection was developed by the threat actors between the remotely accessed trojan and the previous campaign, many cybersecurity agencies await more information regarding the threat group.
The recent advisory should be considered by many to be a severe threat, and targeted organisations are urged by experts to be prepared to counter the threats conducted by APT27. Targeted entities should also protect their intellectual data with more integral encryption and access systems and utilise the Yara rules and IOCs for precautionary measures.