Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
Analysts at CrowdStrike have been monitoring PRC-backed hackers targeting private and public sector entities in the United States.
A Chinese hacking group has been observed targeting US organisations in the government, technology, academic, legal, and professional services sectors since at least 2023.
CrowdStrike tracks the group under the name Murky Panda, but the hackers are also known as Silk Typhoon by other security companies.
Analysts believe the group is involved in espionage operations with the aim of gathering sensitive information from its victims.
Murky Panda gains initial access via exploiting n-day and zero-day vulnerabilities in internet-facing appliances, particularly CVE-2023-3519, a vulnerability in Citrix NetScaler ADC and NetScaler Gateway devices.
Like other Chinese threat actors, Murky Panda takes advantage of compromised SOHO devices in the target country as their final exit nodes, masking their activity as legitimate traffic to avoid detection and disruption.
“The adversary has used RDP, web shells, and on rare occasions, malware such as CloudedHope to move laterally within and establish persistence on compromised networks,” CrowdStrike said in an August 22 blog post.
“Frequently, they have pivoted to cloud environments, likely to gain access to sensitive information stored in the cloud.”
Once access is gained, Murky Panda utilises a rarely seen tactic to compromise a victim’s cloud environment. The threat actor exploits trusted relationships between its targets and their software-as-a-service providers, likely with the intention of accessing further victims downstream of the initial target environment.
Murky Panda has been observed deploying web shells to maintain persistence, such as the the Neo-reGeorg web shell used by several other Chinese threat actors. The hackers also use a relatively uncommon malware family known as CloudedHope, a 64-bit ELF executable written in Golang and designed with Linux systems in mind. CloudedHope has basic remote access functionality and several anti-analysis and other security measures.
“Organisations that rely heavily on cloud environments are innately vulnerable to trusted-relationship compromises in the cloud,” CrowdStrike said.
“China-nexus adversaries such as MURKY PANDA continue to leverage sophisticated tradecraft to facilitate their espionage operations, targeting numerous sectors globally.”
You can read CrowdStrike’s full analysis here.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
