Teacher
Professional
- Messages
- 2,669
- Reaction score
- 819
- Points
- 113
The group uses an extensive arsenal of malware to infiltrate government networks.
According to security researchers, as part of the ongoing campaign from the beginning of 2022, associated with the Chinese cyber threat group Earth Krahang, at least 116 organizations were attacked in 45 countries around the world, while 70 of them could not resist the onslaught of hackers and were compromised.
Researchers at Trend Micro, which tracks the group's activity, report that it is mainly government structures that are attacked.
Looking at the affected organizations, experts reported on the following results of the malicious campaign: 48 government organizations, including 10 ministries of foreign Affairs, were directly affected during these attacks, and another 49 state agencies only miraculously did not become victims of Chinese cybercriminals.
Hackers used vulnerabilities in Internet-oriented servers and specially prepared phishing emails to deploy custom backdoors for the purpose of cyber espionage.
Attackers scanned public servers for vulnerabilities such as CVE-2023-32315 (Openfire) and CVE-2022-21587 (Control Web Panel) to establish unauthorized access and maintain a presence in victims ' networks.
For initial access, specialized phishing messages were used, the subject matter of which was based on geopolitical events, in order to attract the attention of recipients to open attachments or click on links.
After breaking into the Earth network, Krahang used a compromised infrastructure to host malicious downloads, redirect attack traffic, and use hacked government emails to send specialized phishing emails.
In one case, the group used a compromised mailbox of a government agency to send a malicious attachment to 796 email addresses belonging to the same institution. This method of attack is called BEC-compromise.
Earth Krahang also actively installs VPN servers on compromised public servers using SoftEtherVPN to access victims ' private networks and move further inside those networks.
Using malicious software and tools such as Cobalt Strike, RESHELL, and XDealer, the group executes commands and collects data. The same XDealer supports both Linux and Windows, with the ability to take screenshots, log keystrokes, and intercept clipboard data.
Trend Micro's research points to links between Earth Krahang and other Chinese cyberthreat groups, suggesting that these groups may be operating within a single company engaged in government cyber espionage.
The full list of Compromise Indicators (IoC) for this Earth Krahang campaign is published by the researchers in the full report, providing the necessary information for security professionals to ensure that their supported organizations are protected from this widespread cyber threat.
According to security researchers, as part of the ongoing campaign from the beginning of 2022, associated with the Chinese cyber threat group Earth Krahang, at least 116 organizations were attacked in 45 countries around the world, while 70 of them could not resist the onslaught of hackers and were compromised.
Researchers at Trend Micro, which tracks the group's activity, report that it is mainly government structures that are attacked.
Looking at the affected organizations, experts reported on the following results of the malicious campaign: 48 government organizations, including 10 ministries of foreign Affairs, were directly affected during these attacks, and another 49 state agencies only miraculously did not become victims of Chinese cybercriminals.
Hackers used vulnerabilities in Internet-oriented servers and specially prepared phishing emails to deploy custom backdoors for the purpose of cyber espionage.
Attackers scanned public servers for vulnerabilities such as CVE-2023-32315 (Openfire) and CVE-2022-21587 (Control Web Panel) to establish unauthorized access and maintain a presence in victims ' networks.
For initial access, specialized phishing messages were used, the subject matter of which was based on geopolitical events, in order to attract the attention of recipients to open attachments or click on links.
After breaking into the Earth network, Krahang used a compromised infrastructure to host malicious downloads, redirect attack traffic, and use hacked government emails to send specialized phishing emails.
In one case, the group used a compromised mailbox of a government agency to send a malicious attachment to 796 email addresses belonging to the same institution. This method of attack is called BEC-compromise.
Earth Krahang also actively installs VPN servers on compromised public servers using SoftEtherVPN to access victims ' private networks and move further inside those networks.
Using malicious software and tools such as Cobalt Strike, RESHELL, and XDealer, the group executes commands and collects data. The same XDealer supports both Linux and Windows, with the ability to take screenshots, log keystrokes, and intercept clipboard data.
Trend Micro's research points to links between Earth Krahang and other Chinese cyberthreat groups, suggesting that these groups may be operating within a single company engaged in government cyber espionage.
The full list of Compromise Indicators (IoC) for this Earth Krahang campaign is published by the researchers in the full report, providing the necessary information for security professionals to ensure that their supported organizations are protected from this widespread cyber threat.
