Man
Professional
- Messages
- 3,038
- Reaction score
- 561
- Points
- 113
Evasive Panda hunts for cloud services in complete stealth mode.
In Taiwan, a government structure and a religious organization fell victim to the Evasive Panda hacker group associated with China. The attackers used a previously unknown set of CloudScout tools designed to compromise cloud services.
CloudScout uses stolen web browser session cookies to access data in the cloud. According to ESET experts, it is integrated with the well-known MgBot malware platform, which is used by Evasive Panda for attacks.
The attacks considered took place from May 2022 to February 2023. The malicious kit includes 10 C# modules, three of which aim to steal data from Google Drive, Gmail, and Outlook. The rest of the modules remain undisclosed.
The Evasive Panda group, also known as Bronze Highland, Daggerfly, and StormBamboo, regularly attacks targets in Taiwan and Hong Kong. Hackers are known for attacks through vulnerabilities in the supply chain and DNS spoofing, targeting the Tibetan diaspora and other groups.
CloudScout modules allow you to intercept session cookies and use them for unauthorized access to cloud services. Each module is connected via a plug-in for MgBot written in C++.
CloudScout is based on the CommonUtilities package, which contains unique libraries for HTTP requests and cookie management. These libraries provide more flexibility than publicly available solutions.
The data collected by the attackers, including emails, attachments, and documents (.doc, .xls, .pdf, etc.), is archived into ZIP files for further sending via MgBot or Nightdoor.
Attack pattern using CloudScout
According to ESET researchers, the implementation of Google's new security mechanisms, such as Device Bound Session Credentials and App-Bound Encryption, can significantly reduce the effectiveness of such cookie theft attacks.
In the era of total digitalization, even the most secure systems are becoming vulnerable to targeted cyberattacks. Hacker groups are constantly improving their tools, finding new ways to bypass existing security mechanisms, which requires organizations to be constantly vigilant and implement multi-layered data protection systems.
Source
In Taiwan, a government structure and a religious organization fell victim to the Evasive Panda hacker group associated with China. The attackers used a previously unknown set of CloudScout tools designed to compromise cloud services.
CloudScout uses stolen web browser session cookies to access data in the cloud. According to ESET experts, it is integrated with the well-known MgBot malware platform, which is used by Evasive Panda for attacks.
The attacks considered took place from May 2022 to February 2023. The malicious kit includes 10 C# modules, three of which aim to steal data from Google Drive, Gmail, and Outlook. The rest of the modules remain undisclosed.
The Evasive Panda group, also known as Bronze Highland, Daggerfly, and StormBamboo, regularly attacks targets in Taiwan and Hong Kong. Hackers are known for attacks through vulnerabilities in the supply chain and DNS spoofing, targeting the Tibetan diaspora and other groups.
CloudScout modules allow you to intercept session cookies and use them for unauthorized access to cloud services. Each module is connected via a plug-in for MgBot written in C++.
CloudScout is based on the CommonUtilities package, which contains unique libraries for HTTP requests and cookie management. These libraries provide more flexibility than publicly available solutions.
The data collected by the attackers, including emails, attachments, and documents (.doc, .xls, .pdf, etc.), is archived into ZIP files for further sending via MgBot or Nightdoor.
Attack pattern using CloudScout
According to ESET researchers, the implementation of Google's new security mechanisms, such as Device Bound Session Credentials and App-Bound Encryption, can significantly reduce the effectiveness of such cookie theft attacks.
In the era of total digitalization, even the most secure systems are becoming vulnerable to targeted cyberattacks. Hacker groups are constantly improving their tools, finding new ways to bypass existing security mechanisms, which requires organizations to be constantly vigilant and implement multi-layered data protection systems.
Source
