Cybersecurity Threat: Earth Estries Group Identified
/ 3 min read
Quick take - Earth Estries, also known as Salt Typhoon, is a high-level cyber threat actor that has been active since 2020, employing various malware and tactics to exploit system vulnerabilities, particularly targeting Microsoft Exchange servers and utilizing tools for lateral movement and credential theft, while cybersecurity recommendations emphasize the need for robust defenses against such threats.
Fast Facts
- Earth Estries, also known as Salt Typhoon, is a high-level cyber threat actor active since 2020, utilizing various malware like Zingdoor and Snappybee in their operations.
- The group targets system vulnerabilities, particularly focusing on Microsoft Exchange servers and network management tools, employing two distinct attack chains for exploitation.
- Initial access is gained through vulnerabilities in external services, with tools like PsExec and Cobalt Strike used for lateral movement and maintaining persistence within compromised networks.
- Data exfiltration is conducted via cURL to anonymized file-sharing services, with sensitive documents collected using RAR and credential dumping facilitated by tools like NinjaCopy.
- Cybersecurity recommendations include securing external services, patching vulnerabilities, implementing robust credential management, and utilizing monitoring tools like Trend Micro Vision One for threat detection.
Cybersecurity Alert: Earth Estries, Known as Salt Typhoon, Poses High-Level Threat
Earth Estries, also referred to as Salt Typhoon, is a high-level threat actor active since at least 2020. The group employs a range of tactics, techniques, and tools in its cyber operations, including malware variants such as Zingdoor and Snappybee. These are utilized in two distinct attack chains targeting system vulnerabilities, notably focusing on Microsoft Exchange servers and network adapter management tools.
Attack Chains and Tools
The first attack chain involves deploying tools like PsExec, Trillclient, Hemigate, and Crowdoor, delivered through CAB file deliveries. The second attack chain leverages malware such as Zingdoor and Snappybee, delivered via cURL downloads. Earth Estries maintains persistence in compromised environments by continuously updating their tools and utilizing backdoors for lateral movement and credential theft.
Initial access to target systems is typically gained through exploiting vulnerabilities in external services or remote management utilities, such as QConvergeConsole. The group has demonstrated an in-depth understanding of their target environments, evidenced by their use of wget to download documents from internal systems. Once inside, Earth Estries employs Cobalt Strike as a first-stage backdoor, with Crowdoor used as a newer variant for maintaining access within networks.
Lateral Movement and Data Exfiltration
Lateral movement is facilitated by PSExec and WMIC, allowing the group to install backdoors and tools across the network effectively. Trillclient plays a crucial role in collecting user credentials from browser caches, enhancing the group’s foothold in compromised networks. Sensitive documents are collected using RAR, and data exfiltration is conducted via cURL to anonymized file-sharing services.
The second attack chain begins with the exploitation of Microsoft Exchange servers, allowing the implantation of a web shell and the deployment of Cobalt Strike. The group employs various loading methods for Cobalt Strike, including DLL sideloading and executable loaders. Credential dumping is facilitated by tools like NinjaCopy, which can bypass certain file protections, further strengthening the group’s operational capacity.
Recommendations for Defense
To defend against threats posed by Earth Estries, cybersecurity recommendations include securing external-facing services and patching known vulnerabilities. Implementing robust credential management practices is also advised. Additionally, tools such as Trend Micro Vision One are available for monitoring and tracking malicious activities and indicators of compromise. The report highlights the importance of constant vigilance, emphasizing that a multilayered defense strategy is essential to counter evolving cyber threats effectively.
Original Source: Read the Full Article Here
