Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Chinese Cyber-Spies Target Government Organizations in Middle East

Chinese cyber-espionage group Emissary Panda has been targeting government organizations in two different countries in the Middle East, Palo Alto Networks security researchers say.

Chinese cyber-espionage group Emissary Panda has been targeting government organizations in two different countries in the Middle East, Palo Alto Networks security researchers say.

Also tracked as APT27, TG-3390, Bronze Union, and Lucky Mouse, the threat group has been active since at least 2010, targeting hundreds of organizations worldwide, including U.S. defense contractors, financial services firms, a European drone maker, and a national data center in Central Asia, among others.

Emissary Panda activity observed in April 2019 involved the installation of webshells on SharePoint servers, likely in an attempt to exploit the recently patched remote code execution vulnerability in SharePoint tracked as CVE-2019-0604

Following the initial network compromise, the actor would upload a variety of tools to sustain additional activities, including credential dumping and locating and pivoting to additional systems on the network. The group employed tools to identify and exploit systems vulnerable to CVE-2017-0144, the security flaw exploited by EternalBlue. 

The identified activity appears related to the CVE-2019-0604 exploitation that security alerts from Saudi Arabian National Cyber Security Center and the Canadian Center for Cyber Security mentioned last month. 

As part of the attacks, the actor used webshells to upload legitimate executables they would use for DLL sideloading to run a malicious code that overlaps with known Emissary Panda attacks, Palo Alto Networks reports. 

Between April 1 and April 16, the cyber-spies used webshells to upload 24 unique executables on three SharePoint servers hosted by two different government organizations. Several of the same tools were uploaded across the three webshells, suggesting that a single threat group was involved. 

Some of the uploaded tools included legitimate applications such as cURL, post-exploitation tools such as Mimikatz, tools to scan for and exploit potential vulnerabilities in the network, and custom backdoors such as HyperBro, which is commonly associated with Emissary Panda. 

Advertisement. Scroll to continue reading.

“Based on the functionality of the various tools uploaded to the webshells, we believe the threat actors breach the SharePoint servers to use as a beachhead, then attempt to move laterally across the network via stolen credentials and exploiting vulnerabilities,” Palo Alto Networks says

One of the webshells was identified as a variant of the Antak webshell, which is part of a tool created for red teaming called Nishang, while other webshells appear related to the China Chopper webshell. Thus, the researchers are not certain that a single actor has installed all of them (although Emissary Panda and China Chopper are likely related). 

The HyperBro backdoor used in these attacks supports commands to manage files, enumerate logical storage volumes, delete files, upload/download files, list the contents of a folder, run an application, execute commands on shell, take screenshots, run shellcode, kill processes, and list and manage services.

The security researchers also discovered that the group used additional sideloaded payloads in this campaign, though they could not retrieve them as of yet. 

“The Emissary Panda threat group loaded the China Chopper webshell onto SharePoint servers at two Government organizations in the Middle East, which we believe with high confidence involved exploiting a remote code execution vulnerability in SharePoint tracked in CVE-2019-0604,” Palo Alto Networks concludes. 

Related: Microsoft SharePoint Vulnerability Exploited in the Wild

Related: China’s APT27 Hackers Use Array of Tools in Recent Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.