Analysis showed CeranaKeeper was using components common with the known Chinese-backed APT group Mustang Panda, in addition to fresh tools for undermining legitimate file-sharing services, including Pastebin, Dropbox, OneDrive, and GitHub. An emergent China-aligned threat actor called CeranaKeeper has orchestrated a massive data exfiltration effort across Southeast Asia, most recently launching a barrage of cyberattacks against government institutions of Thailand. Copyright © 2024 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG. CeranaKeeper is bombarding Southeast Asia with data exfiltration attacks via file-sharing services such as Pastebin, OneDrive, and GitHub, researchers say. CeranaKeeper broke into Thai government systems through a brute-force attack against a local area network domain control server in mid-2023, ESET said. "Based on our findings, we decided to track this activity cluster as the work of a separate threat actor," a new ESET report said. Once comfortably in the network, the group began a massive data harvesting effort, ESET observed. "The operators write and rewrite their toolset as needed by their operations and react rather quickly to keep avoiding detection," ESET added. From there the group was able to get privileged access, deploy the Toneshell backdoor and a credential dumping tool, and also abuse a legitimate Avast driver to disable security protections. The group is "relentless," rapidly evolving, and nimble, ESET warned. The Chinese government uses APT groups like Mustang Panda and CeranaKeeper to support government activities through espionage and other cybercrimes.
This Cyber News was published on www.darkreading.com. Publication date: Thu, 03 Oct 2024 01:00:17 +0000