In a recently released report by Experts at Palo Alto Networks it was pointed out that Chinese APT group Emissary Panda (aka APT27, TG-3390, Bronze Union, and Lucky Mouse) has been associated with the recent hacks that were targeted on two major countries in the middle east region.
Emissary Panda APT is one of the renowned hacking actor that have earlier also been associated with targeting organizations around the globe. It has been highlighted as the offensive agency that has targeted U.S. defense contractors, financial services firms, and a national data center in Central Asia too.
The group also became popular for its involvement in cyber espionage campaigns to gain information about new generation weapons and in surveillance activities on dissidents focusing on civilian groups.
The tools used by the group was not just the regular but also custom malware and whatever other tools that were used that were readily available were also updated in order to have better hacking results.
As reported by the Experts at Palo Alto Networks, in April 2019, the group targeted organizations of two different countries in the Middle East wherein the hackers targeted web servers to install of webshells on SharePoint servers through which the threat actors leveraged the CVE-2019-0604 vulnerability to compromise SharePoint servers.
Security researchers indicate that once the network was compromised the attackers would upload a variety of tools to perform additional activities, including dumping credentials, and locating and pivoting to additional systems on the network. Further, it was pointed out that attackers used tools to scan the network for systems vulnerable to CVE-2017-0144, the flaw exploited by the NSA-linked EternalBlue exploit.
An analysis of the attack clarifies that attacks were aimed at exploiting CVE-2019-0604 as also reported by the Saudi Arabian National Cyber Security Center and the Canadian Center for Cyber Security.
As per the report released by PaloAlto Networks, “the actors used these webshells to upload legitimate executables that they would use DLL sideloading to run a malicious DLL that has code overlaps with known Emissary Panda attacks. We also found the China Chopper webshell on the SharePoint servers, which has also been used by the Emissary Panda threat group.”
As per the findings of security researchers, the threat actors-using webshells to upload 24 unique executables on three SharePoint servers hosted by two different government organizations between April 1 and April 16. It was further realized that the same tools were used on three webshells determining the common connection towards the same attacker. The longest recorded activity of which was April 16, 2019.
The identified tools used by the attackers were legitimate applications such as cURL, post-exploitation tools like Mimikatz, tools to scan for and exploit potential vulnerabilities in the target network, and custom backdoors such as HyperBro which were used earlier by Emissary Panda making him the strongest suspect of these attacks.