An advanced persistent threat (APT) group, Stately Taurus, has been exploiting a vulnerability in Visual Studio Code (VSCode) tunnels to maintain persistent remote access in compromised systems. Review the details in this Cybersecurity Threat Advisory to secure your environment.
What is the threat?
The vulnerability in VSCode tunnels grants attackers unauthorized remote access. Using SQL injection, they drop a malicious “.LNK” file or Python script onto targeted systems. Once inside, the VSCode tunnels enable them to bypass security protocols, facilitating lateral movement and data exfiltration.
Why is it noteworthy?
The APT group, Stately Taurus, has been linked to multiple breaches over the past few years. Their current operation, codenamed “Operation Digital Eye,” specifically targets Southern European IT service providers. Exploiting VSCode tunnels allows them to remain undetected, making intrusion detection more challenging. As IT service providers are the primary targets, this poses a significant risk to the supply chain, potentially impacting numerous customers at a regional level.
What is the exposure or risk?
Organizations using VSCode are at high risk. A successful exploitation can enable lateral movement, credential theft, data exfiltration, and surveillance. Beyond the immediate impact on the organization, the intrusion can lead to code manipulation, creating a persistent backdoor for attackers.
What are the recommendations?
Barracuda recommends the following actions to secure your environment:
- Audit any VSCode development tools and check code input. Most attacks are caused by poor code input.
- Leverage Endpoint Detection & Response (EDR) solutions, such as Barracuda XDR platform, or proactive monitoring of unusual activities on your systems. This helps detect and respond to potential threats before they cause significant damage.
- Implement network segmentation to limit access to other internal sectors within your infrastructure.
References
For more in-depth information about the recommendations, please visit the following links:
- https://www.developer-tech.com/news/operation-digital-eye-chinese-hackers-exploit-visual-studio-code/
- https://thehackernews.com/2024/12/hackers-weaponize-visual-studio-code.html
If you have any questions about this Cybersecurity Threat Advisory, please contact Barracuda XDR’s Security Operations Center.