A previously undocumented Chinese-speaking threat actor is targeting Microsoft Exchange vulnerabilities in an attempt to compromise high-profile victims, Kaspersky reveals.
Tracked as GhostEmperor, the long-running operation focuses on targets in Southeast Asia and uses a formerly unknown Windows kernel-mode rootkit.
GhostEmperor, Kaspersky explains, employs a loading scheme that relies on a component of the Cheat Engine open-source project, which allows it to bypass the Windows Driver Signature Enforcement mechanism and deploy its rootkit.
During their investigation into the activity, Kaspersky’s security researchers also discovered the use of “a sophisticated multi-stage malware framework aimed at providing remote control over the attacked servers.”
According to Kaspersky, the toolset emerged as early as July 2020, with the threat actor targeting various entities in Southeast Asia, including governmental organizations and telecom companies.
Kaspersky identified the GhostEmperor cluster of activity while investigating various campaigns targeting Exchange servers.
This year, numerous threat actors targeted a series of Exchange vulnerabilities that Microsoft publicly disclosed in March, with most of the attacks attributed to Chinese adversaries.
The United States and its allies last week officially accused China of these attacks.
According to Kaspersky, however, GhostEmperor is a completely novel adversary, showing no similarities to known threat actors.
“GhostEmperor is a clear example of how cybercriminals look for new techniques to use and new vulnerabilities to exploit. Using a previously unknown, sophisticated rootkit, they brought new problems to the already well-established trend of attacks against Microsoft Exchange servers,” David Emm, security expert at Kaspersky, said.
Related: New Law Will Help Chinese Government Stockpile Zero-Days
Related: China-Linked APT31 Abuses Hacked Routers in Attacks, France Warns
Related: Scans for Vulnerable Exchange Servers Started 5 Minutes After Disclosure of Flaws
More from Ionut Arghire
- US, Israel Provide Guidance on Securing Remote Access Software
- Android’s June 2023 Security Update Patches Exploited Arm GPU Vulnerability
- Blumira Raises $15 Million for SMB-Tailored XDR Platform
- KeePass Update Patches Vulnerability Exposing Master Password
- Google Workspace Gets Passkey Authentication
- Cybersecurity Startup Elba Raises €2.5 Million for Employee-Focused Product
- Apple Unveils Upcoming Privacy and Security Features
- Dozens of Malicious Extensions Found in Chrome Web Store
Latest News
- BBC, British Airways, Novia Scotia Among First Big-Name Victims in Global Supply-Chain Hack
- Sysdig Introduces CNAPP With Realtime CDR
- Stay Focused on What’s Important
- VMware Plugs Critical Flaws in Network Monitoring Product
- Hackers Issue ‘Ultimatum’ Over Payroll Data Breach
- US, Israel Provide Guidance on Securing Remote Access Software
- OWASP’s 2023 API Security Top 10 Refines View of API Risks
- Android’s June 2023 Security Update Patches Exploited Arm GPU Vulnerability
