Chinese APT Hackers Earth Krahang Exploits Government Exchange Servers

A new Advanced Persistent Threat campaign, dubbed Earth Krahang, has emerged with a focus on infiltrating government entities across the globe.
This campaign, active since early 2022, has been linked to a China-nexus threat actor, previously identified as Earth Lusca.
Despite similarities, Earth Krahang operates with distinct infrastructure and employs unique backdoors, suggesting it's a separate entity.
This report delves into Earth Krahang's tactics, techniques, and procedures, shedding light on its operations and their implications for global cybersecurity.
Earth Krahang's modus operandi includes exploiting vulnerabilities in public-facing servers and utilizing spear-phishing emails to deliver novel backdoors.
The campaign has shown a penchant for commandeering government infrastructure to launch further attacks, leveraging this access to host malicious payloads and facilitate cyber espionage.
Notably, Earth Krahang has exploited vulnerabilities such as CVE-2023-32315 and CVE-2022-21587 to gain unauthorized access and deploy malware.
Spear-phishing remains a critical vector for Earth Krahang.
Earth Krahang conducts brute force attacks on Exchange servers via Outlook on the web, vulnerability scanning to find web server vulnerabilities, and injecting backdoors.
Upon gaining initial access, Earth Krahang employs a variety of tools and techniques to maintain presence and exploit compromised networks.
The use of SoftEther VPN on public-facing servers is a notable tactic, enabling the threat actor to infiltrate victim networks deeply.
Earth Krahang's toolkit includes several malware families, with Cobalt Strike, RESHELL, and XDealer being prominent.
The evolution of XDealer, evidenced by various versions identified, indicates active development and customization by the threat actor.
The campaign has targeted approximately 70 victims across 23 countries, primarily focusing on government organizations.
The wide geographic spread of targets underscores Earth Krahang's global ambitions.
While direct attribution is challenging, connections to the China-nexus threat actor Earth Lusca and potential links to the Chinese company I-Soon suggest a coordinated effort possibly backed by state-sponsored actors.
Earth Krahang represents a sophisticated and persistent cyber threat that clearly focuses on government entities and the exploitation of government infrastructure for cyber espionage.
The campaign's unique malware families and tactics highlights the need for robust cybersecurity defenses and awareness.
Earth Krahang's evolving tactics and tools necessitate continuous vigilance and adaptation in cybersecurity strategies to protect sensitive information and infrastructure from these advanced threats.
You can learn malware analysis to break down sophisticated malware by enrolling in a Certified Malware Analyst Course online.


This Cyber News was published on cybersecuritynews.com. Publication date: Mon, 18 Mar 2024 16:55:09 +0000


Cyber News related to Chinese APT Hackers Earth Krahang Exploits Government Exchange Servers

Chinese APT Hackers Earth Krahang Exploits Government Exchange Servers - A new Advanced Persistent Threat campaign, dubbed Earth Krahang, has emerged with a focus on infiltrating government entities across the globe. This campaign, active since early 2022, has been linked to a China-nexus threat actor, previously ...
8 months ago Cybersecuritynews.com
Chinese Earth Krahang hackers breach 70 orgs in 23 countries - A sophisticated hacking campaign attributed to a Chinese Advanced Persistent Threat group known as 'Earth Krahang' has breached 70 organizations and targeted at least 116 across 45 countries. According to Trend Micro researchers monitoring the ...
8 months ago Bleepingcomputer.com
Chinese APT Hacks 48 Government Organizations - An advanced persistent threat actor likely operating on behalf of the Chinese government has compromised dozens of foreign government entities worldwide, Trend Micro reports. Referred to as Earth Krahang, the hacking group appears linked to Earth ...
8 months ago Securityweek.com
Chinese APT 'Earth Krahang' Compromises 48 Gov't Orgs on 5 Continents - A previously unidentified Chinese espionage group has managed to breach at least 70 organizations across 23 countries, including 48 in the government space, despite using rather standard-fare tactics, techniques, and procedures. Fitting such a ...
8 months ago Darkreading.com
Chinese hacking documents offer glimpse into state surveillance - Chinese police are investigating an unauthorized and highly unusual online dump of documents from a private security contractor linked to the nation's top policing agency and other parts of its government - a trove that catalogs apparent hacking ...
8 months ago Apnews.com
Cybersecurity Crisis Looms: FBI Chief Unveils Chinese Hackers' Plan to Target US Infrastructure - As the head of the FBI pointed out Wednesday, Beijing was positioning itself to disrupt the daily lives of Americans if there was ever a war between the United States and China if it were to plant malware to damage civilian infrastructure. U.S. ...
9 months ago Cysecurity.news
The ticking time bomb of Microsoft Exchange Server 2013 - This is, of course, a common issue since 2021 or so, due to Exchange Server security woes- however there has been an abnormally high increase in the past few months, making me think there was some kind of Exchange Server zero day perhaps. In my own ...
10 months ago Doublepulsar.com
Uncovering Chinas Surveillance of the United States Spies Hackers and Informants - Last week, a Chinese surveillance balloon in the United States caused a diplomatic uproar and raised concerns about how Beijing collects intelligence on its biggest rival. FBI Director Christopher Wray said in 2020 that Chinese spying is the most ...
1 year ago Securityweek.com
What is an advanced persistent threat? - An advanced persistent threat is a prolonged and targeted cyber attack in which an intruder gains access to a network and remains undetected for an extended period. APT attacks are initiated to steal highly sensitive data rather than cause damage to ...
11 months ago Techtarget.com
Sandman APT Gains Traction: Chinese Hackers Amplify Cybersecurity Risks - Following this assessment, SentinelOne, PwC, and Microsoft Threat Intelligence have been working together on this since they have determined that the adversary's Lua-based malware, LuaDream, and the KEYPLUG have both been found to cohabit in the ...
11 months ago Cysecurity.news
iSoon's Secret APT Status Exposes China's Foreign Hacking Machination - A trove of leaked documents has revealed the Chinese government works with private sector hackers to spy on foreign governments and companies, domestic dissidents, ethnic minorities, and more. On Feb. 16, an anonymous individual with unknown motives ...
8 months ago Darkreading.com
Earth Lusca - Earth Lusca is a suspected China-based cyber espionage group that has been active since at least April 2019. Earth Lusca has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the ...
11 months ago Attack.mitre.org
Lawmakers: Ban TikTok to Stop Election Misinformation! Same Lawmakers: Restrict How Government Addresses Election Misinformation! - In a case being heard Monday at the Supreme Court, 45 Washington lawmakers have argued that government communications with social media sites about possible election interference misinformation are illegal. Just this week the vast majority of those ...
8 months ago Eff.org
DHS and FBI: Chinese Drones Pose Major Threat to U.S. Security - The cybersecurity arm of the Department of Homeland Security and the Federal Bureau of Investigation have jointly issued a public service announcement cautioning about the potential risks posed by Chinese-manufactured drones to critical ...
10 months ago Cysecurity.news
Chinese Hackers Turn To Golang For Malware - Chinese hackers are increasingly turning to the open-source programming language Golang to maliciously code and launch new cyberattacks. According to the latest analysis by The Hacker News, this has resulted in an increase in the number of cyber ...
1 year ago Thehackernews.com
Chinese hackers infect Dutch military network with malware - A Chinese cyber-espionage group breached the Dutch Ministry of Defence last year and deployed malware on compromised devices, according to the Military Intelligence and Security Service of the Netherlands. Despite backdooring the hacked systems, the ...
9 months ago Bleepingcomputer.com
Chinese hackers infect Dutch military network with malware - A Chinese cyber-espionage group breached the Dutch Ministry of Defence last year and deployed malware on compromised devices, according to the Military Intelligence and Security Service of the Netherlands. Despite backdooring the hacked systems, the ...
9 months ago Bleepingcomputer.com
Google links WinRAR exploitation to Russian, Chinese state hackers - Google says that several state-backed hacking groups have joined ongoing attacks exploiting a high-severity vulnerability in WinRAR, a compression software used by over 500 million users, aiming to gain arbitrary code execution on targets' systems. ...
11 months ago Bleepingcomputer.com
Montana Loses in US Court - States can't just ban apps, says federal judge. The judge ruled the state can't stop app stores offering an app. How would you even enforce a statewide ban? In today's SB Blogwatch, we ponder the great firewall of Montana. "Paternalistic ...
11 months ago Securityboulevard.com
The Unlikely Romance of Hackers and Government Suitors - The annual Hack the Capitol event brings together a diverse group of scientists, hackers, and policymakers to educate congressional staffers, scholars, and the press about the most critical cybersecurity challenges facing our nation. Hack the Capitol ...
11 months ago Darkreading.com
Microsoft Exchange Server Flaw Exploited as a Zero-Day Bug - Microsoft has identified one of the critical vulnerabilities in Exchange Server that the company disclosed in February's Patch Tuesday update as actually being a zero-day threat that attackers are already actively exploiting. CVE-2024-21410 is an ...
9 months ago Darkreading.com
Microsoft Exchange Servers Vulnerable to Cyberattacks - Microsoft Exchange Servers are becoming increasingly vulnerable to cyberattacks due to unpatched security vulnerabilities. Microsoft has recently released several critical patches for Exchange Servers, but it is still not enough to prevent possible ...
1 year ago Hackread.com
China's Dogged Campaign to Portray Itself as Victim of US Hacking - For more than two years, China's government has been attempting to portray the US as indulging in the same kind of cyber espionage and intrusion activities as the latter has accused of carrying out over the past several years. A recent examination of ...
9 months ago Darkreading.com
Customer compliance and security during the post-quantum cryptographic migration | AWS Security Blog - For example, using the s2n-tls client built with AWS-LC (which supports the quantum-resistant KEMs), you could try connecting to a Secrets Manager endpoint by using a post-quantum TLS policy (for example, PQ-TLS-1-2-2023-12-15) and observe the PQ ...
1 month ago Aws.amazon.com
Over 20,000 vulnerable Microsoft Exchange servers exposed to attacks - Tens of thousands of Microsoft Exchange email servers in Europe, the U.S., and Asia exposed on the public internet are vulnerable to remote code execution flaws. The mail systems run a software version that is currently unsupported and no longer ...
11 months ago Bleepingcomputer.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)