DarkHotel: A campaign targeting over 200 VPN servers have been uncovered by the Chinese firm Qihoo 360. It is believed that the campaign is currently being carried out to target a number of Chinese institutions and government agencies. The campaign has been timed to line up with new orders from the Chinese government for citizens to work from home. According to Qihoo 360, DarkHotel is responsible for this current wave of attacks targeting VPNs utilized by Chinese organizations. In one case, the group exploited a previously unknown vulnerability in the enterprise VPN software Sangfor SSL then installed malicious software on a victim’s machines to steal user data.
While Qihoo 360 is confident that DarkHotel is behind the campaign, others are not so sure. Some security researchers have pointed out that Qihoo’s analysis is very light on supporting evidence and heavy on confirmation bias. None are going so far as to say that Qihoo is wrong, only that more supporting evidence is needed to make a claim of attribution. VPNs have become a vital part of the global infrastructure as much of the world’s workforce shifts to working from home. While instances like the one involving Sangfor can be difficult to prepare for, there are basic security steps which can be taken to protect remote workers and organizations during this unusual time. Ensuring that VPNs are being properly configured and kept up-to-date with current security patches is an important first step. Endpoint monitoring and detection can also aid in defending against intrusion by detecting suspicious activity on workstations and servers, should malicious software find its way onto a worker’s machine. More information on this incident can be found at https://www.techradar.com/news/this-major-chinese-vpn-provider-has-been-hacked