China-linked LapDogs Campaign Drops ShortLeash Backdoor with Fake Certs – Source:hackread.com

Cybersecurity experts at SecurityScorecard have discovered a widespread cyber espionage operation, dubbed LapDogs, which has compromised an unknown number of devices (probably thousands) around the world since September 2023.

This stealthy campaign, likely originating from a China-based group, focuses on long-term surveillance and data theft, primarily targeting the United States, Japan, South Korea, Taiwan, and Hong Kong.

Exploiting Everyday Devices

According to SecurityScorecard’s STRIKE team’s research, unlike typical cyberattacks that aim for quick access, LapDogs uses a clever method involving what experts call Operational Relay Boxes (ORBs). An ORB is a compromised device, often a Small Office/Home Office (SOHO) router or an Internet of Things (IoT) device, that attackers use to secretly route their traffic.

SOHO routers are those used in small businesses or homes, connecting multiple devices to the internet. By using these everyday devices, especially older models from companies like Ruckus Wireless (making up about 55% of compromised hardware) and Buffalo Technology, the attackers can hide their activities and avoid detection for months.

These vulnerable devices often run outdated or unpatched firmware and may expose services like mini_httpd, embedded management tools with default settings, OpenSSH, or DropBear SSH.

A key part of the LapDogs operation is a custom tool called ShortLeash. This is a malicious program, or backdoor, that gives the attackers hidden control over infected computers and networks enabling silent control, persistence, and lateral movement within networks.

The Linux version of ShortLeash is deployed by a Bash script that checks for Ubuntu or CentOS to place a malicious service file in relevant directories. The ShortLeash payload itself features a two-layer decryption process for its configuration, which includes certificates, private keys, and a URL.

It also runs a server simulating Nginx response and uses random hardcoded query parameters when communicating with its C2 servers. To further cover their tracks, ShortLeash even creates fake security certificates that appear to be from the Los Angeles Police Department (LAPD).

A TLS certificate is a digital document that helps secure internet communication, like a digital ID card for websites. By faking these, the attackers make their actions look legitimate. Researchers also observed 162 distinct intrusion sets, with some sharing common geographical locations or ISPs.

The LapDogs campaign has infiltrated a variety of organizations, including internet service providers (ISPs), hardware makers, and businesses in sectors like IT, networking, real estate, and media. Researchers noted that the attackers are very focused, with signs that they carefully plan their attacks on specific targets.

Therefore, IT administrators for employees from these industries need to be on the lookout and fix vulnerabilities by installing patches. If updates are not available, move on to a different and more secure device.