A sophisticated hacking campaign attributed to a Chinese Advanced Persistent Threat group known as 'Earth Krahang' has breached 70 organizations and targeted at least 116 across 45 countries.
According to Trend Micro researchers monitoring the activity, the campaign has been underway since early 2022 and focuses primarily on government organizations.
Specifically, the hackers have compromised 48 government organizations, 10 of which are Foreign Affairs ministries, and targeted another 49 government agencies.
The attackers exploit vulnerable internet-facing servers and use spear-phishing emails to deploy custom backdoors for cyberespionage.
Earth Krahang abuses its presence on breached government infrastructure to attack other governments, builds VPN servers on compromised systems, and performs brute-forcing to crack passwords for valuable email accounts.
The threat actors employ open-source tools to scan public-facing servers for specific vulnerabilities, such as CVE-2023-32315 and CVE-2022-21587.
Once inside the network, Earth Krahang uses the compromised infrastructure to host malicious payloads, proxy attack traffic, and use hacked government email accounts to target its colleagues or other governments with spear-phishing emails.
These emails contain malicious attachments that drop backdoors to the victims' computers, spreading the infection and achieving redundancy in the case of detection and cleanup.
Trend Micro says the attackers use compromised Outlook accounts to brute force Exchange credentials, while Python scripts that specialize in exfiltrating emails from Zimbra servers were also spotted.
The threat group also builds VPN servers on compromised public-facing servers using SoftEtherVPN to establish access to the private networks of their victims and further their ability to move laterally within those networks.
Having established their presence on the network, Eath Krahang deploys malware and tools such as Cobalt Strike, RESHELL, and XDealer, which provide command execution and data collection capabilities.
Trend Micro says it initially found ties between Earth Krahang and the China-nexus actor Earth Lusca, based on command and control overlaps, but determined that this is a separate cluster.
It is possible that both threat groups operate under the Chinese company I-Soon, working as a dedicated task force for cyberespionage on government entities.
RESHELL has been previously associated with the 'Gallium' group and XDealer with the 'Luoyu' hackers.
Trend Micro's insight shows these tools are likely shared between the threat actors, each using a distinct encryption key.
The complete list of the indicators of compromise for this Earth Krahang campaign is published separately here.
Blackwood hackers hijack WPS Office update to install malware.
French unemployment agency data breach impacts 43 million people.
Switzerland: Play ransomware leaked 65,000 government documents.
Hackers impersonate U.S. government agencies in BEC attacks.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Mon, 18 Mar 2024 20:50:11 +0000