Chinese APT Hackers Earth Krahang Exploits Government Exchange Servers

A new Advanced Persistent Threat campaign, dubbed Earth Krahang, has emerged with a focus on infiltrating government entities across the globe.
This campaign, active since early 2022, has been linked to a China-nexus threat actor, previously identified as Earth Lusca.
Despite similarities, Earth Krahang operates with distinct infrastructure and employs unique backdoors, suggesting it's a separate entity.
This report delves into Earth Krahang's tactics, techniques, and procedures, shedding light on its operations and their implications for global cybersecurity.
Earth Krahang's modus operandi includes exploiting vulnerabilities in public-facing servers and utilizing spear-phishing emails to deliver novel backdoors.
The campaign has shown a penchant for commandeering government infrastructure to launch further attacks, leveraging this access to host malicious payloads and facilitate cyber espionage.
Notably, Earth Krahang has exploited vulnerabilities such as CVE-2023-32315 and CVE-2022-21587 to gain unauthorized access and deploy malware.
Spear-phishing remains a critical vector for Earth Krahang.
Earth Krahang conducts brute force attacks on Exchange servers via Outlook on the web, vulnerability scanning to find web server vulnerabilities, and injecting backdoors.
Upon gaining initial access, Earth Krahang employs a variety of tools and techniques to maintain presence and exploit compromised networks.
The use of SoftEther VPN on public-facing servers is a notable tactic, enabling the threat actor to infiltrate victim networks deeply.
Earth Krahang's toolkit includes several malware families, with Cobalt Strike, RESHELL, and XDealer being prominent.
The evolution of XDealer, evidenced by various versions identified, indicates active development and customization by the threat actor.
The campaign has targeted approximately 70 victims across 23 countries, primarily focusing on government organizations.
The wide geographic spread of targets underscores Earth Krahang's global ambitions.
While direct attribution is challenging, connections to the China-nexus threat actor Earth Lusca and potential links to the Chinese company I-Soon suggest a coordinated effort possibly backed by state-sponsored actors.
Earth Krahang represents a sophisticated and persistent cyber threat that clearly focuses on government entities and the exploitation of government infrastructure for cyber espionage.
The campaign's unique malware families and tactics highlights the need for robust cybersecurity defenses and awareness.
Earth Krahang's evolving tactics and tools necessitate continuous vigilance and adaptation in cybersecurity strategies to protect sensitive information and infrastructure from these advanced threats.
You can learn malware analysis to break down sophisticated malware by enrolling in a Certified Malware Analyst Course online.


This Cyber News was published on cybersecuritynews.com. Publication date: Mon, 18 Mar 2024 16:55:09 +0000


Cyber News related to Chinese APT Hackers Earth Krahang Exploits Government Exchange Servers

Chinese APT Hackers Earth Krahang Exploits Government Exchange Servers - A new Advanced Persistent Threat campaign, dubbed Earth Krahang, has emerged with a focus on infiltrating government entities across the globe. This campaign, active since early 2022, has been linked to a China-nexus threat actor, previously ...
1 year ago Cybersecuritynews.com CVE-2023-32315 CVE-2022-21587 Earth Lusca
Chinese Earth Krahang hackers breach 70 orgs in 23 countries - A sophisticated hacking campaign attributed to a Chinese Advanced Persistent Threat group known as 'Earth Krahang' has breached 70 organizations and targeted at least 116 across 45 countries. According to Trend Micro researchers monitoring the ...
1 year ago Bleepingcomputer.com CVE-2023-32315 CVE-2022-21587 Earth Lusca GALLIUM
Chinese APT Hacks 48 Government Organizations - An advanced persistent threat actor likely operating on behalf of the Chinese government has compromised dozens of foreign government entities worldwide, Trend Micro reports. Referred to as Earth Krahang, the hacking group appears linked to Earth ...
1 year ago Securityweek.com Earth Lusca
Chinese APT 'Earth Krahang' Compromises 48 Gov't Orgs on 5 Continents - A previously unidentified Chinese espionage group has managed to breach at least 70 organizations across 23 countries, including 48 in the government space, despite using rather standard-fare tactics, techniques, and procedures. Fitting such a ...
1 year ago Darkreading.com CVE-2023-32315 CVE-2022-21587 BlackTech Mustang Panda Volt Typhoon
Chinese hacking documents offer glimpse into state surveillance - Chinese police are investigating an unauthorized and highly unusual online dump of documents from a private security contractor linked to the nation's top policing agency and other parts of its government - a trove that catalogs apparent hacking ...
1 year ago Apnews.com
Cybersecurity Crisis Looms: FBI Chief Unveils Chinese Hackers' Plan to Target US Infrastructure - As the head of the FBI pointed out Wednesday, Beijing was positioning itself to disrupt the daily lives of Americans if there was ever a war between the United States and China if it were to plant malware to damage civilian infrastructure. U.S. ...
1 year ago Cysecurity.news Volt Typhoon
Microsoft: Exchange 2016 and 2019 reach end of support in six months - This week's warning comes after Microsoft reminded IT admins in January that Exchange Server 2016 and Exchange Server 2019 will no longer receive technical support starting in October. The Exchange Server Engineering Team also shared guidance for ...
1 month ago Bleepingcomputer.com
The ticking time bomb of Microsoft Exchange Server 2013 - This is, of course, a common issue since 2021 or so, due to Exchange Server security woes- however there has been an abnormally high increase in the past few months, making me think there was some kind of Exchange Server zero day perhaps. In my own ...
1 year ago Doublepulsar.com
Uncovering Chinas Surveillance of the United States Spies Hackers and Informants - Last week, a Chinese surveillance balloon in the United States caused a diplomatic uproar and raised concerns about how Beijing collects intelligence on its biggest rival. FBI Director Christopher Wray said in 2020 that Chinese spying is the most ...
2 years ago Securityweek.com Silence
Belgium probes if Chinese hackers breached its intelligence service - According to The Brussels Times, the hacked server also routed internal HR exchanges among Belgian intelligence personnel, raising concerns about the potential exposure of sensitive personal data including identity documents and CVs belonging to ...
3 months ago Bleepingcomputer.com APT3 APT30 GALLIUM
What is an advanced persistent threat? - An advanced persistent threat is a prolonged and targeted cyber attack in which an intruder gains access to a network and remains undetected for an extended period. APT attacks are initiated to steal highly sensitive data rather than cause damage to ...
1 year ago Techtarget.com Cozy Bear APT29
Earth Alux Hackers Employ VARGIET Malware to Attack Organizations - Initially targeting the Asia-Pacific region, the group expanded its operations to Latin America by mid-2024, primarily focusing on government, technology, logistics, manufacturing, telecommunications, IT services, and retail sectors in countries ...
2 months ago Cybersecuritynews.com
Sandman APT Gains Traction: Chinese Hackers Amplify Cybersecurity Risks - Following this assessment, SentinelOne, PwC, and Microsoft Threat Intelligence have been working together on this since they have determined that the adversary's Lua-based malware, LuaDream, and the KEYPLUG have both been found to cohabit in the ...
1 year ago Cysecurity.news APT41
iSoon's Secret APT Status Exposes China's Foreign Hacking Machination - A trove of leaked documents has revealed the Chinese government works with private sector hackers to spy on foreign governments and companies, domestic dissidents, ethnic minorities, and more. On Feb. 16, an anonymous individual with unknown motives ...
1 year ago Darkreading.com Aquatic Panda
Lawmakers: Ban TikTok to Stop Election Misinformation! Same Lawmakers: Restrict How Government Addresses Election Misinformation! - In a case being heard Monday at the Supreme Court, 45 Washington lawmakers have argued that government communications with social media sites about possible election interference misinformation are illegal. Just this week the vast majority of those ...
1 year ago Eff.org
Earth Lusca - Earth Lusca is a suspected China-based cyber espionage group that has been active since at least April 2019. Earth Lusca has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the ...
1 year ago Attack.mitre.org APT41 Earth Lusca Winnti Group
FBI seeks help to unmask Salt Typhoon hackers behind telecom breaches - In January, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) announced sanctions against Sichuan Juxinhe Network Technology, a Chinese cybersecurity firm believed to be directly involved in the Salt Typhoon telecom ...
1 month ago Bleepingcomputer.com
DHS and FBI: Chinese Drones Pose Major Threat to U.S. Security - The cybersecurity arm of the Department of Homeland Security and the Federal Bureau of Investigation have jointly issued a public service announcement cautioning about the potential risks posed by Chinese-manufactured drones to critical ...
1 year ago Cysecurity.news
Chinese Hackers Turn To Golang For Malware - Chinese hackers are increasingly turning to the open-source programming language Golang to maliciously code and launch new cyberattacks. According to the latest analysis by The Hacker News, this has resulted in an increase in the number of cyber ...
2 years ago Thehackernews.com BlackTech Carbanak
Microsoft Exchange Server Flaw Exploited as a Zero-Day Bug - Microsoft has identified one of the critical vulnerabilities in Exchange Server that the company disclosed in February's Patch Tuesday update as actually being a zero-day threat that attackers are already actively exploiting. CVE-2024-21410 is an ...
1 year ago Darkreading.com CVE-2024-21410 CVE-2024-2140 CVE-2024-21412 CVE-2024-21351 Fancy Bear
Earth Ammit Hackers Attacking Using New Tools to Attack Drones Used in Military Sectors - Trend Micro researchers identified that Earth Ammit’s operations demonstrate sophisticated understanding of supply chain vulnerabilities, employing two distinct attack paths: classic supply chain attacks that inject malicious code into ...
2 weeks ago Cybersecuritynews.com
Over 20,000 vulnerable Microsoft Exchange servers exposed to attacks - Tens of thousands of Microsoft Exchange email servers in Europe, the U.S., and Asia exposed on the public internet are vulnerable to remote code execution flaws. The mail systems run a software version that is currently unsupported and no longer ...
1 year ago Bleepingcomputer.com CVE-2021-26855 CVE-2021-27065
Microsoft Exchange Servers Vulnerable to Cyberattacks - Microsoft Exchange Servers are becoming increasingly vulnerable to cyberattacks due to unpatched security vulnerabilities. Microsoft has recently released several critical patches for Exchange Servers, but it is still not enough to prevent possible ...
2 years ago Hackread.com
Google links WinRAR exploitation to Russian, Chinese state hackers - Google says that several state-backed hacking groups have joined ongoing attacks exploiting a high-severity vulnerability in WinRAR, a compression software used by over 500 million users, aiming to gain arbitrary code execution on targets' systems. ...
1 year ago Bleepingcomputer.com CVE-2023-38831 CVE-2023-40477 APT28
Customer compliance and security during the post-quantum cryptographic migration | AWS Security Blog - For example, using the s2n-tls client built with AWS-LC (which supports the quantum-resistant KEMs), you could try connecting to a Secrets Manager endpoint by using a post-quantum TLS policy (for example, PQ-TLS-1-2-2023-12-15) and observe the PQ ...
7 months ago Aws.amazon.com