One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8571332 |
| Date de publication | 2024-09-06 14:59:38 (vue: 2024-09-06 15:18:15) |
| Titre | Tropic Trooper spies on government entities in the Middle East |
| Texte | #### Targeted Geolocations - Malaysia - Middle East #### Targeted Industries - Government Agencies & Services ## Snapshot Researchers at SecureList by Kapersky released a report on the recent activities of Tropic Trooper. ## Description Tropic Trooper, also known as KeyBoy and Pirate Panda, is an advanced persistent threat (APT) group that has been active since 2011. Historically, they have targeted sectors like government, healthcare, transportation, and high-tech industries in Taiwan, the Philippines, and Hong Kong. Recently, in 2024, the group shifted focus to a government entity in the Middle East, particularly targeting one involved in human rights studies, suggesting a new strategic direction. This intrusion was first noticed in June 2024 when a modified variant of the China Chopper web shell was detected on a public server running Umbraco CMS. This web shell was deployed as a .NET module within the CMS, allowing the group to execute commands and maintain persistence. SecureList observed exploitation attempts of several older CVEs in Microsoft Exchange ([CVE-2021-34473](https://security.microsoft.com/intel-profiles/CVE-2021-34473), [CVE-2021-34523](https://security.microsoft.com/intel-explorer/cves/CVE-2021-34523/), and [CVE-2021-31207](https://security.microsoft.com/intel-profiles/CVE-2021-31207)) and one in Adobe ColdFusion ([CVE-2023-26360](https://security.microsoft.com/intel-explorer/cves/CVE-2023-26360/)), making the company moderately confident that these webshells were delivered by exploiting unpatched vulnerabilities. Further investigation revealed multiple malware sets on the compromised server, including post-exploitation tools like Fscan, Swor, and Neo-reGeorg, which were likely used for network scanning, lateral movement, and evading security controls. Additionally, new DLL search-order hijacking techniques were identified, involving malicious DLLs such as Crowdoor loader. This loader was used to execute CobaltStrike payloads and maintain persistence. When the initial Crowdoor loader was blocked, the attackers deployed a new variant with similar capabilities. The activity was confidently attributed by SecureList to Tropic Trooper, based on overlaps with previous campaigns, including the use of specific tools and tactics. The tools and malware used were mainly open-source, maintained by Chinese-speaking developers, and consistent with Tropic Trooper\'s modus operandi. This campaign underscores Tropic Trooper\'s evolving tactics and their continued focus on espionage against government entities. ## Microsoft Analysis ProxyShell is a set of three Microsoft Exchange vulnerabilities discovered by security researcher Orange Tsai and disclosed at the BlackHat Security Conference and via the [Zero Day Initiative blog](https://www.zerodayinitiative.com/blog/2021/8/17/from-pwn2own-2021-a-new-attack-surface-on-microsoft-exchange-proxyshell). Chaining these vulnerabilities can result in unauthenticated arbitrary remote code execution on a device running Microsoft Exchange Server, and individual use of CVE-2021-31207 can lead to post authentication arbitrary code execution. ## Recommendations Apply these mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations. - Apply the [latest Security Update](https://techcommunity.microsoft.com/t5/exchange-team-blog/bg-p/Exchange) for Microsoft Exchange Server. This update includes the fixes for all three vulnerabilities in this report. - Initiate containment and mitigation: Identify the credentials used on the affected endpoint and consider all associated accounts compromised. Reset passwords or decommission the accounts. Stop suspicious processes and isolate affected devices. Block communication with relevant URLs or IPs at the organizations perimeter. Investigate the device timeline for indications of lateral movement, credential access, and other attack activities. - Check for possible |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | ### #### **© *aspx* 2011 2021 2023 2024 2024** 26360 26360/ 31207 34473 34523 34523/ access accessed accounts active activities activity additionally adobe advanced affected against agencies alerts all allowing also analysis antivirus any apply apt arbitrary as: associated as * attack attackers attempts attributed authentication based been behavior behavior:win32/suspexchgsession behaviors blackhat block blocked blog blog/bg by *msexchangemailboxreplication campaign campaigns can capabilities card center chaining check china chinese chopper cms cobaltstrike code coldfusion com/blog/2021/8/17/from com/en com/intel com/new com/t5/exchange commands communication company compromised conference confident confidently consider consistent contact containment content continued controls copyright created credential credentials crowdoor cve cves date day decommission defender delivered deployed deployment description detected detection detections/hunting detects developers device devices direction disclosed discovered distribution dll dlls don east edr elevated enabled encyclopedia endpoint ensure entities entity espionage evading evolving exchange exe* with execute execution exploit exploit:win32/cve exploitation exploiting explorer/cves/cve extensions file files first fixes focus following forensic from fscan further geolocations government group has have healthcare help high hijacking historically hong https://securelist https://security https://techcommunity https://www human hunting hunting** section identified identify impact incident included includes including indicate indications individual industries infection/113737/ initial initiate initiative intrusion investigate investigation involved involving ips isolate june kapersky keyboy known kong lateral latest lead like likely loader locate mainly maintain maintained making malaysia malicious malware microsoft middle mitigation: mitigations moderately modified module modus monitored monitoring movement multiple name=behavior:win32/suspexchgsession neo net network network: new noticed observed older one open operandi orange order organizations other overlaps p/exchange panda part particularly passwords payloads perimeter permission persistence persistent philippines pirate possible post potential previous privileges process processes profiles/cve prohibited proxyshell pst* and public pwn2own queries query real recent recently recommendations reduce references regeorg released relevant remediation remote report reproduction researcher researchers reserved reset response result revealed rights running scanning search sectors securelist security server services set sets several shell shifted similar since site snapshot source spawned speaking specific spies start status stop strategic studies such suggesting support surface suspicious swor tactics taiwan targeted targeting team tech techniques than * thereof these the the **advanced threat three time timeline titles tools transportation trooper tropic tsai umbraco unauthenticated underscores unpatched unusual update urls us/wdsi/threats/malware use used users variant vulnerabilities web webshells when which within without written your zero zerodayinitiative for |
| Tags | Malware Tool Vulnerability Threat Studies Medical Conference |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.