Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
China-nexus hacking group observed maintaining long-term access and deploying BRICKSTORM malware on compromised servers.
Security analysts have lifted the lid on a China-linked adversary they’ve been tracking throughout the year, dubbed WARP PANDA by CrowdStrike.
The group has been active since at least 2022, and is focused on compromising VMware vCenter environments at legal, technology, and manufacturing entities in the United States.
“WARP PANDA exhibits a high level of technical sophistication, advanced operations security (OPSEC) skills, and extensive knowledge of cloud and virtual machine (VM) environments,” CrowdStrike said in a December 5 blog post.
“In addition to BRICKSTORM, WARP PANDA has also deployed JSP web shells and two new implants for ESXi environments – now named Junction and GuestConduit – during their operations.”
Warp Panda gains initial access via internet-facing edge devices before pivoting to vCenter environments via either valid credentials or exploiting known vulnerabilities in vCenter. Lateral movement is achieved via a privileged vCenter management account and SSH, though it has also been observed using the Secure File Transfer Protocol to move data.
The group uses the BRICKSTORM backdoor to route traffic through vCenter servers and other locations, the Junction implant to act as an HTTP server, and the GuestConduit traffic-tunnelling implant for communication between hypervisors and guest VMs, which Warp Panda creates as needed before shutting them down.
These are all written in the Golang programming language and appear unique to Warp Panda.
“On numerous occasions, CrowdStrike observed WARP PANDA staging data for exfiltration. The adversary used an ESXi-compatible version of 7-Zip to extract and stage data from thin-provisioned snapshots of live ESXi guest VMs,” CrowdStrike said.
“Separately, WARP PANDA leveraged 7-Zip to extract data from VM disks hosted on a non-ESXi Linux-based hypervisor. CrowdStrike Services also found evidence that the adversary used their access to vCenter servers to clone domain controller VMs, likely in an attempt to collect sensitive data such as the Active Directory Domain Services database.”
The group is focused on maintaining long-term access to compromised networks, most likely to extract intelligence in line with the strategic interests of the People’s Republic of China. While its targets are largely North American, it has used one compromised network to engage in what CrowdStrike called “rudimentary reconnaissance” against a government entity in the Asia Pacific region, as well as connected to “various cybersecurity blogs and a Mandarin-language GitHub repository”.
CrowdStrike believes Warp Panda’s operations, likely backed by what the company calls a “well-resourced organisation,” to continue, both now and into the future.
You can read more about the threat actor, and details of its activity, here.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
