Saturday , September 7 2024
hacker

Trend Micro report
Earth Krahang hackers breach 70 orgs in 23 countries

The APT group ‘Earth Krahang’ has hacked 70 organizations and attacked at least 116 in 45 countries. Trend Micro researchers have been monitoring a campaign targeting government organizations since early 2022.

Cisco released security updates for two critical security flaws

CISCO released security updates for two critical security flaws impacting its smart Licensing Utility that could allow unauthenticated, remote attackers...
Read More
Cisco released security updates for two critical security flaws

OpenBAS: Cutting-edge breach and attack simulation platform

OpenBAS is a platform that helps organizations to plan, schedule, and conduct crisis exercises, adversary simulations, and breach simulations. OpenBAS...
Read More
OpenBAS: Cutting-edge breach and attack simulation platform

Critical Security Flaws Patched in Zyxel Networking Devices

Zyxel has released software updates to fix a serious security issue in certain access point (AP) and security router versions....
Read More
Critical Security Flaws Patched in Zyxel Networking Devices

CVE-2024-38811: CEV In VMware Fusion Unveiled

VMware released a security advisory for a major vulnerability in the VMware Fusion product. This vulnerability could be exploited by...
Read More
CVE-2024-38811: CEV In VMware Fusion Unveiled

CERT-IN Warns Vulnerabilities in Palo Alto Networks applications

Indian Computer Emergency Response Team (CERT-IN) issued advisories about multiple vulnerabilities in various Palo Alto Networks applications. Attackers could exploit...
Read More
CERT-IN Warns Vulnerabilities in Palo Alto Networks applications

How Malaysia’s Data Centre Industry Poised for Growth

Malaysia is quickly becoming a leading choice for investing in data centers. It aims to generate RM3.6 billion (US$781 million)...
Read More
How Malaysia’s Data Centre Industry Poised for Growth

RansomHub exfiltrated data over 210 victims: US alert

US authorities have issued a cybersecurity advisory about a ransomware group called RansomHub. The group is thought to have stolen data...
Read More
RansomHub exfiltrated data over 210 victims: US alert

Godzilla Fileless Backdoor Exploits Atlassian Confluence flaw

There is a new way to attack Atlassian Confluence using the vulnerability CVE-2023-22527. The Confluence Data Center and Server products...
Read More
Godzilla Fileless Backdoor Exploits Atlassian Confluence flaw

New Cicada ransomware targets VMware ESXi servers

The Cicada3301 ransomware is made in Rust and attacks Windows and Linux/ESXi hosts. Truesec researchers examined a version that targets...
Read More
New Cicada ransomware targets VMware ESXi servers

Monday hits two UK bank apps causes outages

Lloyds Bank and Virgin Money's internet banking services were down on Monday, causing trouble for users to access and view...
Read More
Monday hits two UK bank apps causes outages

The group targeted 116 organizations in 35 countries and confirmed at least 70 compromises, including organizations linked to world governments. Victims also include education, telecommunications, finance, IT, and sports sectors. The highest number of victims are in Asia, but cases are also in the Americas, Europe, and Africa.

Earth Krahang‘s Intrusion Tactics:
The first step is to search the Internet for public servers that are connected to government organizations. To find weaknesses, the attacker can use various open source tools like sqlmap, nuclei, xray, vscan, pocsuite, and wordpressscan. The attacker focuses on two specific vulnerabilities: CVE-2023-32315, a command execution vulnerability in the real-time collaboration server Openfire with a CVSS rating of 7.5, and CVE-2022-21587, a critical command execution issue rated 9.8 in Oracle’s E-Business Suite’s Web Applications Desktop Integrator.
Figure 2. The Python script used by Earth Krahang to send spear-phishing emails to other governments via a stolen government account (redacted)
Once the group gains access to a public server, they use open source software to search for sensitive files, passwords (especially for email), and other valuable resources, such as neglected subdomains that could lead to more unattended servers. They also use brute force attacks, such as using a list of common passwords to break into Microsoft Exchange servers through Outlook on the Web.
“While it may seem like open source should be easy to detect,” says Jon Clay, vice president of threat intelligence at Trend Micro, “the reality is that there are many TTPs here that have to be found and detected. Also, the use of defense evasion tactics by this adversary can be utilized to ensure the victims are unable to defend.”

Earth Krahang’s Exploitation and Stealth Tactics:

By the end of all this (and much more), the attacker can perform two primary actions: drop backdoors on compromised servers, and hijack email accounts.

The attackers use real email accounts to trick victims into thinking they are safe. By using legitimate accounts and sending emails with convincing subject lines and malicious attachments, they can deceive people.

Figure 3. The Python script used by Earth Krahang to exfiltrate the victim’s mailbox

Whether via email or a vulnerability in a Web server, Earth Krahang’s various targets end up downloading one or multiple backdoors.

In its first attacks around 2022, the group used “RESHELL,” a basic custom .NET tool to gather information, drop files, and run system commands, with AES-encrypted command-and-control (C2) communication.
In 2023, the group started using “XDealer,” a new tool with advanced features like keylogging, taking screenshots, and stealing from the clipboard. XDealer works on both Windows and Linux and some of its loaders have real code-signing certificates, including certificates from a human resources company and a game development company that were likely stolen to make it harder to detect the malware. Trend Micro provided this information.

Earth Krahang has also made use of ancient threats like PlugX and ShadowPad, and it frequently deploys Cobalt Strike in combination with another open source tool (RedGuard) that prevents cybersecurity analysts from pinning down its C2 infrastructure.

Due to the straightforward nature of the threat actor, it is crucial to follow standard best practices for protection against these TTPs. Organizations should strengthen their email security against spear phishing, regularly update and patch systems to defend against known vulnerabilities, and implement network segmentation to restrict an attacker’s movement within their networks. Additionally, monitoring for abnormal network traffic and unusual access patterns can aid in early detection of such campaigns.

 

Check Also

bee

New Cicada ransomware targets VMware ESXi servers

The Cicada3301 ransomware is made in Rust and attacks Windows and Linux/ESXi hosts. Truesec researchers …

Leave a Reply

Your email address will not be published. Required fields are marked *