Major South European business-to-business IT service providers have been targeted by a suspected Chinese cyberespionage operation as part of the Operation Digital Eye attack campaign between June and July that involved the exploitation of Visual Studio Code Remote Tunnels and Microsoft Azure infrastructure for command-and-control purposes, The Hacker News reports.
Threat actors behind the intrusions, which have been averted prior to data exfiltration, initially compromised internet-exposed apps and database servers with SQL injection before proceeding with PHPsert webshell distribution, reconnaissance, credential compromise, lateral movement, and custom Mimikatz injection for pass-the-hash intrusions, according to a joint report from SentinelOne SentinelLabs and Tinextra Cyber. Both VSCode Remote Tunnels and SSH were then tapped to facilitate remote code execution. "The abuse of Visual Studio Code Remote Tunnels in this campaign illustrates how Chinese APT groups often rely on practical, solution-oriented approaches to evade detection. By leveraging a trusted development tool and infrastructure, the threat actors aimed to disguise their malicious activities as legitimate," said researchers.
