Cyberattacks are getting smarter every day, and “Operation Digital Eye” is a perfect example of just how sophisticated they’ve become. In this campaign, a suspected Chinese hacking group targeted European IT service providers, using clever tricks to break into their systems and stay hidden.
The attackers didn’t just rely on old-school hacking—they used legitimate tools like Visual Studio Code’s Remote Tunnels and even GitHub authentication to make their activity look normal. By exploiting vulnerabilities and blending in with regular operations, they created a backdoor into critical infrastructure that was incredibly hard to detect.
In this post, we’ll walk you through the attack step by step. But before we dive in, here’s a quick visual summary:
Now, let’s break down the attack path [1].
Operation Digital Eye’s Attack Path:
1. Initial Access: SQL Injection
- Method: Exploited SQL injection vulnerabilities on internet-facing database servers.
- Tool Used: Sqlmap to automate the detection and exploitation of these vulnerabilities.
2. Establishment of PHPsert Web Shell
- Purpose: Maintained persistence on the compromised server.
- Disguise: Web shell files were designed to resemble legitimate server files to evade detection.
3. Reconnaissance
- Goal: Gathered system and network information.
- Tools/Commands Used:
- GetUserInfo to enumerate user accounts.
- Ping to identify active hosts on the network.
- local.exe to collect system-specific details.
4. Credential Theft
- Memory Dump:
- Used CreateDump to extract LSASS (Local Security Authority Subsystem Service) memory, which contains credential information.
- Registry Extraction:
- Used the reg save command to extract the SAM (Security Account Manager) database, revealing local user account credentials.
5. Lateral Movement
- Methods Used:
- Remote Desktop Protocol (RDP): Used to access other machines in the network.
- Pass-the-Hash Attack: Deployed a custom tool (bK2o.exe) to authenticate across systems using hashed credentials.
6. Persistence
- SSH Key Injection:
- Modified the authorized_keys file to allow persistent, password-less SSH access.
- Visual Studio Code Remote Tunnels:
- Deployed a portable version of Visual Studio Code (code.exe).
- Configured it to run as a service using Windows Service Wrapper.
- Established encrypted tunnels to a Microsoft Azure server, ensuring a secure pathway to the compromised machine.
- Authentication: Routed through GitHub, blending malicious activity with legitimate developer workflows.
Citation
1. SentinelOne. (2024). Operation Digital Eye: Chinese APT compromises critical digital infrastructure via Visual Studio Code tunnels. Retrieved December 11, 2024, from https://www.sentinelone.com/labs/operation-digital-eye-chinese-apt-compromises-critical-digital-infrastructure-via-visual-studio-code-tunnels/