Chinese APT Hackers Using Multiple Tools And Vulnerabilities To Attack Telecom Orgs

Since 2023, the Chinese APT group Earth Estries (aka Salt Typhoon, FamousSparrow, GhostEmperor, and UNC2286) has mostly targeted government agencies and vital industries, including telecoms in the US, Asia-Pacific, Middle East, and South Africa. The group uses sophisticated attack methods and several backdoors, including GHOSTSPIDER, SNAPPYBEE, and MASOL RAT, which impact several government agencies and […] The post Chinese APT Hackers Using Multiple Tools And Vulnerabilities To Attack Telecom Orgs appeared first on Cyber Security News.

Nov 27, 2024 - 15:56
 0
Chinese APT Hackers Using Multiple Tools And  Vulnerabilities To Attack Telecom Orgs

Since 2023, the Chinese APT group Earth Estries (aka Salt Typhoon, FamousSparrow, GhostEmperor, and UNC2286) has mostly targeted government agencies and vital industries, including telecoms in the US, Asia-Pacific, Middle East, and South Africa.

The group uses sophisticated attack methods and several backdoors, including GHOSTSPIDER, SNAPPYBEE, and MASOL RAT, which impact several government agencies and telecommunications firms in Southeast Asia.

The group has compromised more than 20 organizations, targeting a variety of businesses such as telecommunications, technology, consulting, chemical, and transportation, as well as government institutions and non-governmental organizations (NGOs) in many countries.

Analyze cyber threats with ANYRUN's powerful sandbox. Black Friday Deals : Get up to 3 Free Licenses.

Victimology map of Earth Estries

Evolving Tactics Of The Chinese APT Group

According to TrendMicro, GHOSTSPIDER, a new backdoor, was found during attacks on telecom businesses in Southeast Asia. 

GHOSTSPIDER is a multi-layered, advanced multi-modular backdoor that loads several modules according to predetermined criteria. This backdoor uses a unique protocol that is secured by Transport Layer Security (TLS) to interact with its C&C server.

GHOSTSPIDER infection chain

The organisation also made use of SNAPPYBEE, a modular backdoor also known as Deed RAT, which is a technology that is common among Chinese APT groups.

Additionally, Earth Estries makes use of MASOL RAT, a cross-platform backdoor that was discovered in 2020 when investigating government occurrences in Southeast Asia based on its PDB string.

But this year, researchers saw that Earth Estries has started using Linux-based MASOL RAT to target government networks in Southeast Asia. 

Since 2020, Earth Esties has been carrying out prolonged attacks against governments and internet service providers.

Notably, researchers found that the attackers attacked the telecom company’s vendor network in addition to vital services (such as database servers and cloud servers).

It has been discovered that they had infiltrated vendor computers with the DEMODEX rootkit. 

DEMODEX Rootkit Infection Chain

Earth Estries is actively targeting victims’ servers that are visible to the public. They were observed taking advantage of server-based N-day vulnerabilities, such as the following:

List of vulnerabilities exploited by Earth Estries

“After gaining control of the vulnerable server, we observed that the attackers leveraged living-off-the-land binaries (LOLBINs) like WMIC.exe and PSEXEC.exe for lateral movement, and deployed customized malware such as SNAPPYBEE, DEMODEX, and GHOSTSPIDER to conduct long-term espionage activities against their targets”, researchers said.

Multiple teams monitor Earth Estries’s complex C&C infrastructure. Their activities frequently coincide with the TTPs of other well-known Chinese APT organizations, suggesting that they may be using shared tools from malware-as-a-service vendors. 

Earth Estries performs stealthy attacks that begin with edge devices and spread to cloud environments, making detection tough.

They demonstrate a high degree of skill in their approach to accessing and monitoring sensitive targets by using a variety of techniques to create operational networks that successfully hide their cyber espionage activities.

Thus, it is imperative that companies and their security personnel maintain vigilance and proactively fortify their cybersecurity defenses against cyberespionage efforts.

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar

The post Chinese APT Hackers Using Multiple Tools And Vulnerabilities To Attack Telecom Orgs appeared first on Cyber Security News.

What's Your Reaction?

like

dislike

love

funny

angry

sad

wow