BlackTech Hackers Exploit Critical Lanscope Zero-Day in Targeted Cyber Espionage Campaign
A sophisticated, state-sponsored hacking group with ties to China has been identified exploiting a previously unknown “zero-day” vulnerability in a popular IT asset management tool. The group, known as BlackTech (also tracked as Palmerworm and Temp.Overboard), leveraged this critical flaw to infiltrate the networks of government, media, and technology organizations, primarily in Japan and Taiwan.
This campaign highlights the growing threat of attacks that target widely used enterprise software to gain a foothold in otherwise secure environments. By compromising the software itself, attackers can bypass traditional security measures and conduct long-term espionage operations undetected.
The Vulnerability: CVE-2023-22315
The core of this attack is a critical remote code execution (RCE) vulnerability in MOTEX’s Lanscope Cat, a software suite used by many organizations for managing IT assets and security operations. Tracked as CVE-2023-22315, this flaw allowed attackers to execute arbitrary commands on affected systems without any user interaction.
Because BlackTech exploited this vulnerability before a security patch was available, it is classified as a zero-day attack—one of the most dangerous types of cyber threats. An RCE vulnerability effectively gives an attacker the keys to the kingdom, allowing them to install malware, steal data, and move freely within a compromised network.
Anatomy of the Attack: Custom Malware and Evasion Tactics
Once BlackTech exploited the Lanscope Cat vulnerability, they didn’t rely on off-the-shelf tools. Instead, they deployed a custom-built backdoor malware specifically designed for this operation. Security researchers have identified two key payloads used in the attacks:
- Flagpro: A sophisticated backdoor designed for cyber espionage. It enables attackers to upload and download files, execute system commands, and establish a persistent presence on the victim’s network.
- Self-loader: This malware is used to load and execute other malicious payloads, a technique that helps the attackers remain hidden by separating their initial exploit from their long-term espionage tools.
To further evade detection, the hackers employed a technique known as DLL sideloading. This method involves tricking legitimate, trusted applications (like Windows’ own msiexec.exe) into loading a malicious DLL file. By masquerading as part of a legitimate process, the malware is less likely to be flagged by antivirus software and security monitoring tools.
Who is BlackTech?
BlackTech is a well-established and persistent cyber espionage group believed to be operating on behalf of China. The group has a long history of targeting entities in East Asia, with a particular focus on Japan and Taiwan. Their primary objective is intelligence gathering, and they are known for their stealth, patience, and use of custom malware tailored to their victims. Their focus on technology, media, electronics, and government sectors aligns with strategic state interests.
Critical Security Steps: How to Protect Your Organization
The discovery of this zero-day exploitation serves as a critical reminder for all organizations to prioritize software updates and proactive threat hunting. If your organization uses MOTEX’s Lanscope Cat, immediate action is required.
Patch Immediately: MOTEX has released a security update to address CVE-2023-22315. All users should update to Lanscope Cat version 9.6.2.10 or later without delay. Running unpatched versions leaves your network exposed to this exact attack.
Hunt for Indicators of Compromise (IOCs): Even after patching, it is crucial to investigate whether your systems were already compromised. Security teams should actively search for network and endpoint IOCs associated with the Flagpro backdoor and other tools used by BlackTech.
Implement the Principle of Least Privilege: Enterprise management tools like Lanscope Cat require significant system privileges to function. Ensure that such software, and the accounts used to manage it, are configured with the minimum level of access necessary. This can limit an attacker’s ability to move laterally across the network if a compromise occurs.
Enhance Network Monitoring: Increase monitoring of outbound traffic from servers running management software. Look for unusual connections, data transfers, or processes being initiated by tools that don’t typically perform those actions.
This incident underscores the importance of a defense-in-depth security strategy. Relying on a single layer of protection is no longer sufficient against determined, state-sponsored attackers who actively search for and exploit zero-day vulnerabilities in trusted enterprise software.
Source: https://www.bleepingcomputer.com/news/security/china-linked-hackers-exploited-lanscope-flaw-as-a-zero-day-in-attacks/
