Sqlite Chrome Tencentcimpanuzdnet: By now, it ought to be no secret that APT20 is a Chinese government-linked hacking group. This group has long been associated with cyberattacks on government organizations and managed service providers, such as the U.S Department of Energy, Southern California Edison, and the International Olympic Committee. What’s more alarming is that it lacks any scruples about attacking the United States’ allies, jeopardizing international relations.
However, this time around their methods were a little different. APT20 began its attacks by using a tool called KINS that was found on the NSA’s list of known backdoor exploits. The leaked data also revealed that the attacker used more than 20 zero-day vulnerabilities, including a Metasploit module and an exploit for a Samsung device.
The KINS tool is an old, outdated package that can only be used to penetrate two-factor authentication systems. This is a feature of a hardware-based passcode that you have to enter in order to log into your accounts.
However, what’s interesting is that the KINS tool bypasses this system by logging into the service provider’s web page and then submits the fraudulent login request without the user’s knowledge.
KINS has been used before, but this time it was used several times in a single wave of attacks. All these attacks all use Google as an account identifier and are launched from Chinese IP addresses. That’s what makes this group so lethal, as it can target anyone regardless of nationality.
On top of that, the KINS tool was used in the cyberattacks against a total of 3 targets: 1) the Israeli Ministry of Strategic Affairs; 2) the U.S. Department of Defense; and 3) to an unspecified Chinese government agency. The attackers also deployed other tools, such as Backdoor.Linux.KittyUnicorn, which is a customized version of another known backdoor called Backdoor. Linux.XiaoMi.
This tool is able to monitor and control the victim’s system for 60 days, or until it is rebooted. The Backdoor.Linux.KittyUnicorn tool can even take screenshots of the computer, hide its presence from the Operating System, and copy its keystrokes in real time. The report also mentions that this tool had a Linux variant that was used by the Chinese Ministry of Commerce in a previous operation targeting foreign embassies in Beijing.
On top of that, another malicious module took advantage of a vulnerability in the Samsung Gear S2 smart watch. That module is called DeepSpeed and it can exploit the wireless protocol used in this type of devices to monitor communications between the watch and the smartphone.
The attackers also deployed two other malicious tools, called KINS-NT and KINS-EA, which are designed to bypass 2FA systems using SMS or email.