In an analysis released by Symantec and originally reported by ZDNet, APT 10, also tracked as Stone Panda/Cloud Hopper, has been observed targeting companies in 17 regions involved in the automotive, pharmaceutical, engineering, and MSP industries. Starting from mid-October 2019 to at least October of this year, APT 10 has been leveraging DLL side-loading, Qasar RAT, and various browser based certificate person-in-the-middle techniques to steal personally identifiable information.
The most recent addition to their vast toolkit is a tool able to exploit the CVE-2020-1472 Zerologon vulnerability, which is a critical privilege escalation targeting Active Directory environments. With nothing more than access to a system on the same local network as a Domain Controller, an attacker can completely take over the domain in a matter of seconds. Microsoft released a patch for this vulnerability, which is effective as long as systems administrators update Windows on Domain Controllers. Based on exfiltrated data, it seems that this group is focused on stealing documents that can be used for cyberespionage, such as corporate records, HR documents, meeting memos, and expense information.