| Category | Details |
|---|---|
| Threat Actors | - Earth Estries - Aliases: Famous Sparrow, Ghost Emperor, Salt Typhoon, UNC2286 |
| Campaign Overview | - Advanced cyber espionage campaigns - Targeting critical infrastructure, government entities, and key industries globally |
| Target Regions | - United States - Germany - South Africa - Malaysia - Philippines - Taiwan - India - Canada - Singapore |
| Methodology | - Dual attack chains (via CAB files or cURL downloads) - Exploiting vulnerabilities in systems like Microsoft Exchange Server - Keylogging, DLL sideloading - Memory-resident malware operations |
| Products Targeted | - Microsoft Exchange Server - Ivanti Connect Secure - Fortinet FortiClient EMS - Sophos Firewall - IoT devices - Virtual Private Servers (VPS) - Windows systems |
| Malware Reference | - HemiGate - GhostSpider - Zingdoor - Cobalt Strike - MASOL RAT - SNAPPYBEE - Demodex rootkit |
| Tools Used | - PsExec - Trillclient - Hemigate - Crowdoor - CAB files - cURL - Encrypted communications - Anonymized file-sharing services |
| Vulnerabilities Exploited | - CVE-2023-46805 - CVE-2024-21887 - CVE-2023-48788 - Exploits in Microsoft Exchange Server, Ivanti, Fortinet, and Sophos products |
| TTPs | - Data exfiltration via anonymized services - Prolonged persistence with modular malware - Encryption for stealth - In-memory operation to evade detection - Exploiting N-day vulnerabilities |
| Attribution | - Earth Estries - Suspected to be a Chinese APT group |
| Recommendations | - Patch systems to address exploited vulnerabilities - Monitor for persistence and lateral movement - Implement advanced threat detection - Enhance defenses against in-memory malware and encrypted C&C |
| Source | - CYFIRMA |
Read full article: https://www.cyfirma.com/research/apt-profile-earth-estries/
The above summary has been generated by an AI language model
Leave a Reply