SecurityScorecard’s cybersecurity experts have unveiled a significant global cyber espionage campaign known as LapDogs, which has likely compromised thousands of devices worldwide since September 2023.
Believed to be operated by a group based in China, this operation is characterized by long-term surveillance and data theft, primarily targeting the United States, Japan, South Korea, Taiwan, and Hong Kong.
Exploiting Everyday Devices
Research from SecurityScorecard’s STRIKE team indicates that unlike conventional cyberattacks aimed at rapid access, LapDogs employs a sophisticated strategy involving Operational Relay Boxes (ORBs). These ORBs are compromised devices, typically Small Office/Home Office (SOHO) routers or Internet of Things (IoT) devices, which attackers utilize to secretly route their traffic.
SOHO routers, prevalent in both small businesses and homes, connect multiple devices to the internet. By exploiting everyday devices, particularly older models from manufacturers like Ruckus Wireless—accounting for approximately 55% of compromised hardware—and Buffalo Technology, attackers can mask their activities and evade detection for months.
These vulnerable devices often operate on outdated or unpatched firmware, potentially exposing services such as mini_httpd, embedded management tools with default settings, and SSH implementations like OpenSSH and DropBear SSH.
A pivotal element of the LapDogs operation is a custom tool named ShortLeash. This malicious backdoor grants attackers covert control over infected systems, facilitating persistence and lateral movement within networks. The Linux variant of ShortLeash is seeded by a Bash script that targets Ubuntu or CentOS, deploying a malicious service file in pertinent directories. The payload itself employs a two-layer decryption process for its configuration, incorporating certificates, private keys, and a URL.
ShortLeash mimics server responses typical of Nginx, utilizing random hardcoded query parameters during communications with its command and control servers. To obfuscate their activities, the attackers create counterfeit security certificates resembling those issued by the Los Angeles Police Department (LAPD).
By forging TLS certificates—digital documents that secure internet communications akin to digital ID cards for websites—attackers create an illusion of legitimacy. Researchers have uncovered 162 distinct intrusion sets, with multiple sets exhibiting overlap in geographical locations or Internet Service Providers.
The LapDogs operation has infiltrated a wide range of organizations, including internet service providers, hardware manufacturers, and companies across various sectors such as IT, networking, real estate, and media. This focused approach indicates that attackers meticulously plan their operations against chosen targets.
Consequently, IT administrators in these sectors should remain vigilant, actively patching vulnerabilities and replacing outdated devices with more secure alternatives where updates are unavailable.
