Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Chinese Cyber-Spies Target Government Organizations in Middle East

Chinese cyber-espionage group Emissary Panda has been targeting government organizations in two different countries in the Middle East, Palo Alto Networks security researchers say.

Chinese cyber-espionage group Emissary Panda has been targeting government organizations in two different countries in the Middle East, Palo Alto Networks security researchers say.

Also tracked as APT27, TG-3390, Bronze Union, and Lucky Mouse, the threat group has been active since at least 2010, targeting hundreds of organizations worldwide, including U.S. defense contractors, financial services firms, a European drone maker, and a national data center in Central Asia, among others.

Emissary Panda activity observed in April 2019 involved the installation of webshells on SharePoint servers, likely in an attempt to exploit the recently patched remote code execution vulnerability in SharePoint tracked as CVE-2019-0604

Following the initial network compromise, the actor would upload a variety of tools to sustain additional activities, including credential dumping and locating and pivoting to additional systems on the network. The group employed tools to identify and exploit systems vulnerable to CVE-2017-0144, the security flaw exploited by EternalBlue. 

The identified activity appears related to the CVE-2019-0604 exploitation that security alerts from Saudi Arabian National Cyber Security Center and the Canadian Center for Cyber Security mentioned last month. 

As part of the attacks, the actor used webshells to upload legitimate executables they would use for DLL sideloading to run a malicious code that overlaps with known Emissary Panda attacks, Palo Alto Networks reports. 

Between April 1 and April 16, the cyber-spies used webshells to upload 24 unique executables on three SharePoint servers hosted by two different government organizations. Several of the same tools were uploaded across the three webshells, suggesting that a single threat group was involved. 

Some of the uploaded tools included legitimate applications such as cURL, post-exploitation tools such as Mimikatz, tools to scan for and exploit potential vulnerabilities in the network, and custom backdoors such as HyperBro, which is commonly associated with Emissary Panda. 

“Based on the functionality of the various tools uploaded to the webshells, we believe the threat actors breach the SharePoint servers to use as a beachhead, then attempt to move laterally across the network via stolen credentials and exploiting vulnerabilities,” Palo Alto Networks says

One of the webshells was identified as a variant of the Antak webshell, which is part of a tool created for red teaming called Nishang, while other webshells appear related to the China Chopper webshell. Thus, the researchers are not certain that a single actor has installed all of them (although Emissary Panda and China Chopper are likely related). 

The HyperBro backdoor used in these attacks supports commands to manage files, enumerate logical storage volumes, delete files, upload/download files, list the contents of a folder, run an application, execute commands on shell, take screenshots, run shellcode, kill processes, and list and manage services.

The security researchers also discovered that the group used additional sideloaded payloads in this campaign, though they could not retrieve them as of yet. 

“The Emissary Panda threat group loaded the China Chopper webshell onto SharePoint servers at two Government organizations in the Middle East, which we believe with high confidence involved exploiting a remote code execution vulnerability in SharePoint tracked in CVE-2019-0604,” Palo Alto Networks concludes. 

Related: Microsoft SharePoint Vulnerability Exploited in the Wild

Related: China’s APT27 Hackers Use Array of Tools in Recent Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.

Cybercrime

Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack

Cybercrime

A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Cybercrime

Cybercriminals earned significantly less from ransomware attacks in 2022 compared to 2021 as victims are increasingly refusing to pay ransom demands.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.