A previously unidentified Chinese espionage group has managed to breach at least 70 organizations across 23 countries, including 48 in the government space, despite using rather standard-fare tactics, techniques, and procedures.
Fitting such a cybercrime operation, rather than employing ultra-sophisticated malware and stealth tactics, it uses an arsenal of largely open source and well-documented tools, plus one-day vulnerabilities and standard social engineering, to defeat its targets.
Despite this, its list of victims rivals that of the likes of Volt Typhoon, BlackTech, and Mustang Panda.
Having targeted no less than 116 organizations across 35 countries, the group has at least 70 confirmed compromises, including four dozen associated with various world governments.
In one case, it managed to breach a wide range of organizations connected to 11 government ministries.
Victims have also spanned the education and telecommunications sectors, finance, IT, sports, and more.
The highest concentration of victims comes from Asia, but cases cover the Americas, Europe, and Africa as well.
Earth Krahang's Intrusion Tactics Some successful Chinese APTs distinguish themselves with unique zero-days or complex tactics they pull off better than everyone else.
Its first move is to scan the Web for public-facing servers of interest, such as those connected to government organizations.
To check for vulnerabilities it can leverage, it uses one of any number of open source, off-the-shelf tools, including sqlmap, nuclei, xray, vscan, pocsuite, and wordpressscan.
Two bugs in particular on which Earth Krahang likes to prey are CVE-2023-32315 - a command execution bug in the real-time collaboration server Openfire rated 7.5 by CVSS - and CVE-2022-21587 - a critical 9.8-rated command execution issue with the Web Applications Desktop Integrator in Oracle's E-Business Suite.
After it establishes a toehold on a public server, the group uses more open source software to scan for sensitive files, passwords, and other useful resources, like lonely subdomains that might point to further unmaintained servers.
It also employs a number of brute force attacks - for example, using a list of common passwords to crack Microsoft Exchange servers via Outlook on the Web.
Earth Krahang's Exploitation and Stealth Tactics By the end of all this, the attacker can perform two primary actions: drop backdoors on compromised servers, and hijack email accounts.
Whether via email or a vulnerability in a Web server, Earth Krahang's various targets end up downloading one or multiple backdoors.
NET tool for collecting information, dropping files, and executing system commands, with AES-encrypted command-and-control communication.
Besides being compatible with both Windows and Linux, XDealer is also notable because some of its loaders contain valid code-signing certificates.
Trend Micro speculates that these certificates - one belonging to a legitimate human resources company, and the other to a game development company - were likely stolen to provide an extra layer of cover when downloading the malware to new systems.
Earth Krahang has also made use of ancient threats like PlugX and ShadowPad, and it frequently deploys Cobalt Strike in combination with another open source tool that prevents cybersecurity analysts from pinning down its C2 infrastructure.
This Cyber News was published on www.darkreading.com. Publication date: Mon, 18 Mar 2024 21:50:12 +0000