New Cyber Threat Group Targets Global Critical Sectors
/ 3 min read
Quick take - Earth Estries, a Chinese advanced persistent threat group active since 2023, has targeted critical global sectors such as telecommunications and government entities using sophisticated attack techniques and malware, compromising over 20 organizations across multiple regions.
Fast Facts
- Earth Estries is a Chinese APT group active since 2023, targeting critical sectors globally, including telecommunications and government entities.
- The group has compromised over 20 organizations across diverse sectors, employing sophisticated attack techniques and various backdoors like GHOSTSPIDER and MASOL RAT.
- Their operations involve exploiting vulnerabilities in public-facing servers and utilizing living-off-the-land binaries for lateral movement within networks.
- Earth Estries has expanded its targeting to include consulting firms and NGOs associated with the U.S. federal government and military, focusing on prolonged espionage efforts.
- Organizations are advised to enhance cybersecurity defenses and utilize threat intelligence tools to combat the cyberespionage tactics employed by Earth Estries.
Earth Estries: A New Cyber Threat Targeting Global Critical Sectors
Earth Estries is a Chinese advanced persistent threat (APT) group that has been active since 2023. This group has targeted critical sectors globally, including telecommunications and government entities. Their operations span across the United States, Asia-Pacific, the Middle East, and South Africa.
Attack Techniques and Targeted Sectors
Earth Estries employs sophisticated attack techniques, utilizing a range of backdoors, notably GHOSTSPIDER, SNAPPYBEE, and MASOL RAT, to execute their operations. The group’s activities have compromised over 20 organizations across diverse sectors such as technology, consulting, chemicals, transportation, governmental agencies, and non-governmental organizations (NGOs).
The group gains initial access by exploiting vulnerabilities in public-facing servers and employs living-off-the-land binaries for lateral movement within compromised networks. Their operations include prolonged espionage efforts, primarily focused on gathering intelligence from governments and internet service providers. In 2023, Earth Estries expanded its targeting to include consulting firms and NGOs that work closely with the U.S. federal government and military.
Notable Tools and Vulnerabilities
The attackers have specifically targeted critical services, including database and cloud servers, as well as vendor networks, facilitating access to additional targets. Notably, the group has been observed using the DEMODEX rootkit on vendor machines, enhancing access to telecommunications providers. Earth Estries exploits known vulnerabilities in widely used software and systems, including Ivanti Connect Secure VPN, Fortinet FortiClient EMS, Sophos Firewall, and Microsoft Exchange servers.
After taking control of vulnerable servers, the group employs tools like WMIC.exe and PSEXEC.exe for lateral movement and deploys customized malware for espionage. The GHOSTSPIDER backdoor is a multi-modular tool designed for secure communication with its command and control (C&C) server, capable of loading different modules based on specific operational needs.
Operational Structure and Recommendations
Organizationally, Earth Estries operates with a clear division of labor, allowing different actors to target various regions and industries. The C&C infrastructure utilized by the group is complex and managed by multiple teams, indicating a high level of operational sophistication. The communication protocol employed by GHOSTSPIDER includes a connection ID in the HTTP header and supports various command codes for executing different actions.
Earth Estries has also deployed the MASOL RAT on Linux servers, specifically targeting Southeast Asian government networks. The group’s operations may involve tools shared from malware-as-a-service providers, indicated by overlapping tactics, techniques, and procedures (TTPs) with other known Chinese APT groups. Organizations are encouraged to strengthen their cybersecurity defenses against such cyberespionage campaigns by utilizing threat intelligence tools for improved monitoring and detection. Trend Micro provides various resources, including intelligence reports and threat insights, to assist organizations in preparing for and responding to emerging threats.
Original Source: Read the Full Article Here
