The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network. After it achieves initial access, the group carries out brute-force attacks on domain controllers, uses credential-dumping tools, and even disables security products using a legitimate Avast driver. The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user. The findings mark a significant development in the region’s ongoing cyber threat landscape, particularly given the group’s sophisticated techniques and use of both common and custom tools. The group’s endgame is predictable: exfiltrating as much data as possible, using previously unseen custom tools to harvest whole file trees from compromised systems. Cybersecurity firm ESET has identified a new China-aligned threat actor, dubbed “CeranaKeeper,” operating across Southeast Asia, with a primary focus on Thailand. The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes. The group cunningly disguises its operations by leveraging these platforms for both command-and-control (C&C) communication and data exfiltration, exploiting the difficulty in blocking traffic to these well-known services. ESET’s findings shine a light on a highly adaptable and persistent group that can rapidly pivot and modify its tools to evade the security nets. Since early last year, CeranaKeeper has aggressively targeted public sector entities in Thailand, using sophisticated means to gain a foothold on networks. While more revelations about this group are expected in the future, CeranaKeeper’s ability to innovate and evade detection remains a significant threat to Southeast Asia’s cybersecurity landscape. However, ESET researchers have now determined that CeranaKeeper operates independently, deploying a unique arsenal of tools and techniques. Copyright © 2024 Information Security Buzz is brand owned by Bora Design SL a company registered in Spain with company number B42720136 whose registered office is in Alicante, Spain. Its constant updates to the TONESHELL backdoor—a hallmark of the group—allow it to sneak past security tools while stealing vast amounts of sensitive information. ESET researchers shared their findings at the Virus Bulletin conference on 2 October 2024 and released a detailed white paper on CeranaKeeper’s tactics, techniques, and procedures (TTPs). The group’s distinct operational methods, infrastructure, and campaigns, despite similarities to Mustang Panda, justify the classification of CeranaKeeper as a separate entity. By using these platforms, CeranaKeeper obfuscates its malicious traffic, adding a layer of complexity to its operations. CeranaKeeper has been carrying out widespread data exfiltration campaigns since early 2022, primarily targeting governmental institutions. CeranaKeeper’s toolset is made up of custom backdoors and reverse shells, much like those enabled by GitHub’s pull request and issue comment features, turning GitHub into a stealthy C&C server. CeranaKeeper’s focus on governmental targets in Thailand, along with operations in Myanmar, the Philippines, Japan, and Taiwan, suggests a continued alignment with Chinese interests in the region. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you. Once inside, the malefactors move laterally across networks, using compromised systems as update servers for their backdoor tools.
This Cyber News was published on informationsecuritybuzz.com. Publication date: Thu, 03 Oct 2024 08:43:09 +0000