China-aligned CeranaKeeper Makes A Beeline For Thailand

The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network. After it achieves initial access, the group carries out brute-force attacks on domain controllers, uses credential-dumping tools, and even disables security products using a legitimate Avast driver. The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user. The findings mark a significant development in the region’s ongoing cyber threat landscape, particularly given the group’s sophisticated techniques and use of both common and custom tools. The group’s endgame is predictable: exfiltrating as much data as possible, using previously unseen custom tools to harvest whole file trees from compromised systems. Cybersecurity firm ESET has identified a new China-aligned threat actor, dubbed “CeranaKeeper,” operating across Southeast Asia, with a primary focus on Thailand. The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes. The group cunningly disguises its operations by leveraging these platforms for both command-and-control (C&C) communication and data exfiltration, exploiting the difficulty in blocking traffic to these well-known services. ESET’s findings shine a light on a highly adaptable and persistent group that can rapidly pivot and modify its tools to evade the security nets. Since early last year, CeranaKeeper has aggressively targeted public sector entities in Thailand, using sophisticated means to gain a foothold on networks. While more revelations about this group are expected in the future, CeranaKeeper’s ability to innovate and evade detection remains a significant threat to Southeast Asia’s cybersecurity landscape. However, ESET researchers have now determined that CeranaKeeper operates independently, deploying a unique arsenal of tools and techniques. Copyright © 2024 Information Security Buzz is brand owned by Bora Design SL a company registered in Spain with company number B42720136 whose registered office is in Alicante, Spain. Its constant updates to the TONESHELL backdoor—a hallmark of the group—allow it to sneak past security tools while stealing vast amounts of sensitive information. ESET researchers shared their findings at the Virus Bulletin conference on 2 October 2024 and released a detailed white paper on CeranaKeeper’s tactics, techniques, and procedures (TTPs). The group’s distinct operational methods, infrastructure, and campaigns, despite similarities to Mustang Panda, justify the classification of CeranaKeeper as a separate entity. By using these platforms, CeranaKeeper obfuscates its malicious traffic, adding a layer of complexity to its operations. CeranaKeeper has been carrying out widespread data exfiltration campaigns since early 2022, primarily targeting governmental institutions. CeranaKeeper’s toolset is made up of custom backdoors and reverse shells, much like those enabled by GitHub’s pull request and issue comment features, turning GitHub into a stealthy C&C server. CeranaKeeper’s focus on governmental targets in Thailand, along with operations in Myanmar, the Philippines, Japan, and Taiwan, suggests a continued alignment with Chinese interests in the region. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you. Once inside, the malefactors move laterally across networks, using compromised systems as update servers for their backdoor tools.

This Cyber News was published on informationsecuritybuzz.com. Publication date: Thu, 03 Oct 2024 08:43:09 +0000


Cyber News related to China-aligned CeranaKeeper Makes A Beeline For Thailand

China-aligned CeranaKeeper Makes A Beeline For Thailand - The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication ...
2 months ago Informationsecuritybuzz.com
China-Backed APT Group Culling Thai Government Data - Analysis showed CeranaKeeper was using components common with the known Chinese-backed APT group Mustang Panda, in addition to fresh tools for undermining legitimate file-sharing services, including Pastebin, Dropbox, OneDrive, and GitHub. An ...
2 months ago Darkreading.com
China-Linked CeranaKeeper Targeting Southeast Asia with Data Exfiltration - The attacks are characterized by the use of malware families such as TONESHELL, TONEINS, and PUBLOAD – all attributed to the Mustang Panda group – while also making use of an arsenal of never-before-seen tools to aid data exfiltration. ...
2 months ago Thehackernews.com
European firms urge China to give more clarity on data transfer laws - AP Moeller - Maersk A/S Siemens AG BEIJING, Nov 15 - European firms "Urgently" need China to give clearer definitions of key terms in its cross-border data transfer rules, a European business lobby group said on Wednesday, warning firms also stood to ...
1 year ago Reuters.com
How 'Big 4' Nations' Cyber Capabilities Threaten the West - COMMENTARY. There are four nations deemed by the US and UK governments to pose the greatest threat to the West. Russia's cyber-threat activities are primarily focused on offensive cyber operations, China's are focused on cyber espionage, Iran's on ...
10 months ago Darkreading.com
Uncovering Chinas Surveillance of the United States Spies Hackers and Informants - Last week, a Chinese surveillance balloon in the United States caused a diplomatic uproar and raised concerns about how Beijing collects intelligence on its biggest rival. FBI Director Christopher Wray said in 2020 that Chinese spying is the most ...
1 year ago Securityweek.com
China's Dogged Campaign to Portray Itself as Victim of US Hacking - For more than two years, China's government has been attempting to portray the US as indulging in the same kind of cyber espionage and intrusion activities as the latter has accused of carrying out over the past several years. A recent examination of ...
10 months ago Darkreading.com
Stifling Beijing in cyberspace big focus for UK operatives The Register - Regular attendees of CYBERUK, the annual conference hosted by British intelligence unit the National Cyber Security Centre, will know that in addition to the expected conference panels, there is usually an interwoven theme to proceedings. Various ...
7 months ago Theregister.com
Google To Invest $1 Billion For Data Centre In Thailand | Silicon UK - In the blog post this week however, Google stated it would invest 36 billion Thai baht ($1 billion), into Thailand to build a new data centre, and it comes after cloud and AI rival Microsoft has also made similar heavy investments across Asia and ...
2 months ago Silicon.co.uk
Cyber Insights 2023: The Geopolitical Effect - The result is more than a dozen features on subjects ranging from AI, quantum encryption, and attack surface management to venture capital, regulations, and criminal gangs. The Russia/Ukraine war that started in early 2022 has been mirrored by a ...
1 year ago Securityweek.com
Big China Spy Balloon Moving East Over US, Pentagon Says - The Pentagon said at midday Friday that a Chinese spy balloon had moved eastward and was over the central United States, and that the U.S. rejected China's claims that it was not being used for surveillance. Gen. Pat Ryder, Pentagon press secretary, ...
1 year ago Securityweek.com
Pro-China campaign targeted YouTube with AI avatars The Register - Think tank Australian Strategic Policy Institute last week published details of a campaign that spreads English language pro-China and anti-US narratives on YouTube. The campaign, which ASPI calls Shadow Play, includes 30 YouTube channels that have ...
1 year ago Go.theregister.com
A top-secret Chinese spy satellite just launched on a supersized rocket - China's largest rocket apparently wasn't big enough to launch the country's newest spy satellite, so engineers gave the rocket an upgrade. The Long March 5 launcher flew with a payload fairing some 20 feet taller than its usual nose cone when it took ...
1 year ago Packetstormsecurity.com
US House 'Asks Intel, Nvidia, Micron CEOs' To Testify On China - US House of Representatives China committee asks chief executives of Intel, Nvidia, Micron to testify as international tensions mount. The chief executives of Intel, Nvidia and Micron have been asked to testify before the US House of Representatives' ...
11 months ago Silicon.co.uk
China Investigating Alleged Use of Surveillance Balloon in US - China declared on Friday that it is looking into reports that a Chinese spy balloon has been flying in U.S. airspace and asked for people to remain calm. The Foreign Ministry spokesperson Mao Ning also said that China has no intention of infringing ...
1 year ago Securityweek.com
Beijing fosters foreign influencers to spread its propaganda The Register - China is offering foreign influencers access to its vast market in return for content that sings its praises and helps to spreads Beijing's desired narratives more widely around the world, according to think tank the Australian Strategic Policy ...
1 year ago Theregister.com
Apple Move iPad Engineering To Vietnam - Fresh reports of Apple shifting manufacturing from China, with iPad product development resources relocated to Vietnam. Apple continues to strengthen its manufacturing and development capabilities outside of mainland China, according to recent media ...
1 year ago Silicon.co.uk
China plans to take 'hack-proof' quantum satellite technology to new heights - China is planning new, cutting-edge quantum communications satellites. China launched the first dedicated quantum communications satellite, named Micius, in 2016, and has been quietly working on followup missions in the years since. "Low Earth orbit ...
1 year ago Space.com
US Officials To Visit Taiwan To 'Explain' China Chip Controls - Taiwan government says US officials to visit island next month to explain complex chip sanctions aimed at China, amidst rising tensions. US officials are planning to visit Taiwan to explain the details of new export controls aimed at preventing ...
1 year ago Silicon.co.uk
China Launches Probe into Geographic Data Security - China has started a security investigation into the export of geolocation data, a development that highlights the nation's rising concerns about data security. The probe, which was made public on December 11, 2023, represents a major advancement in ...
1 year ago Cysecurity.news
China warns of AirDrop de-anonymization flaw The Register - In June 2023 China made a typically bombastic announcement: operators of short-distance ad hoc networks must ensure they run according to proper socialist principles, and ensure all users divulge their real-world identities. The announcement targeted ...
11 months ago Go.theregister.com
China Backed Actors are Employing Generative AI to Breach US infrastructure - Cybercriminals of all skill levels are utilising AI to hone their skills, but security experts warn that AI is also helping to track them down. At a workshop at Fordham University, National Security Agency head of cybersecurity Rob Joyce stated that ...
11 months ago Cysecurity.news
Thai Court Blocks 9near.org to Avoid Exposure of 55M Citizens - The Criminal Court in Thailand has issued an order to block the website 9near.org after it threatened to expose the personal information of 55 million Thai citizens, supposedly obtained from vaccine registration records. This prompted swift action ...
11 months ago Infosecurity-magazine.com
CVE-2024-50022 - In the Linux kernel, the following vulnerability has been resolved: device-dax: correct pgoff align in dax_set_mapping() pgoff should be aligned using ALIGN_DOWN() instead of ALIGN(). Otherwise, vmf->address not aligned to fault_size will be aligned ...
2 months ago Tenable.com
ESET APT Activity Report T3 2022 - ESET APT Activity Report T3 2022 summarizes the activities of selected advanced persistent threat groups that were observed, investigated, and analyzed by ESET researchers from September until the end of December 2022. In the monitored timespan, ...
1 year ago Welivesecurity.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)