Security researchers have uncovered a sophisticated cyber espionage campaign, dubbed "LapDogs," that has compromised over 1,000 small office/home office (SOHO) devices worldwide. This campaign, attributed to China-linked threat actors, leverages these devices to form an Operational Relay Box (ORB) network, facilitating covert surveillance and data exfiltration.
The STRIKE team at SecurityScorecard identified the LapDogs campaign, noting its strategic targeting of regions such as the United States, Japan, South Korea, Hong Kong, and Taiwan. The campaign's deliberate growth since at least September 2023 suggests a methodical approach to espionage. Evidence, including Mandarin code comments and victim profiles, links the campaign to the China-based Advanced Persistent Threat (APT) group UAT-5918.
Recommendations for Organizations:
Source: Security Affairs LapDogs: China-nexus hackers Hijack 1,000+ SOHO devices for espionage
The STRIKE team at SecurityScorecard identified the LapDogs campaign, noting its strategic targeting of regions such as the United States, Japan, South Korea, Hong Kong, and Taiwan. The campaign's deliberate growth since at least September 2023 suggests a methodical approach to espionage. Evidence, including Mandarin code comments and victim profiles, links the campaign to the China-based Advanced Persistent Threat (APT) group UAT-5918. Technical Analysis of ShortLeash Malware
Central to the LapDogs campaign is the deployment of a custom backdoor malware named "ShortLeash." This malware is designed to establish persistent access on compromised devices, enabling attackers to operate undetected. Key characteristics of ShortLeash include:- Installation Mechanism: The malware requires root access and checks for specific operating systems, such as Ubuntu or CentOS, to tailor its installation process. If the OS is unrecognized, it displays a Mandarin message stating "Unknown System."
- Persistence: ShortLeash replaces legitimate system services with its own malicious versions, ensuring it remains active across system reboots.
- Obfuscation Techniques: The malware's core payload is encrypted in two layers, complicating detection and analysis. Upon decryption, it reveals certificates, private keys, and command-and-control (C2) server URLs. Notably, it generates self-signed TLS certificates spoofing the Los Angeles Police Department (LAPD), adding a layer of deception.
Targeted Devices and Vulnerabilities
LapDogs primarily targets SOHO devices from various vendors, including ASUS, D-Link, Microsoft, Panasonic, and Synology. The campaign exploits known vulnerabilities in these devices, such as CVE-2015-1548 and CVE-2017-17663, which are associated with outdated mini_httpd servers. Devices running lightweight web servers like lighttpd and mini_httpd, common in embedded systems, are particularly susceptible. Ruckus Wireless access points and Buffalo AirStation routers have been frequently compromised, especially in regions like Tokyo.Operational Relay Box (ORB) Networks
Unlike traditional botnets that are often noisy and disruptive, ORB networks like LapDogs are designed for stealth and persistence. These networks use compromised devices to maintain covert infrastructure, allowing threat actors to conduct long-term espionage without detection. The compromised devices continue to function normally, making it challenging for security teams to identify and mitigate the threat.Strategic Implications and Recommendations
The LapDogs campaign underscores a strategic shift in cyber espionage tactics, emphasizing the use of ORB networks to achieve covert, long-term access to targeted systems. This approach disrupts traditional methods of tracking indicators of compromise (IOCs) and necessitates a reevaluation of current cybersecurity strategies.Recommendations for Organizations:
- Regular Firmware Updates: Ensure all SOHO devices are updated with the latest firmware to patch known vulnerabilities.
- Network Segmentation: Implement strict network segmentation policies to isolate SOHO devices from critical infrastructure.
- Enhanced Monitoring: Deploy advanced monitoring solutions to detect anomalous traffic patterns indicative of ORB network activity.
- Vendor Management: Engage with device vendors to ensure they provide timely security updates and support for their products.
Source: Security Affairs LapDogs: China-nexus hackers Hijack 1,000+ SOHO devices for espionage