One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8614334 |
| Date de publication | 2024-11-19 21:54:53 (vue: 2024-11-19 22:08:35) |
| Titre | Spot the Difference: Earth Kasha\'s New LODEINFO Campaign And The Correlation Analysis With The APT10 Umbrella |
| Texte | #### Targeted Geolocations - Japan - India - Taiwan #### Targeted Industries - Government Agencies & Services - Information Technology - Transportation Systems - Aviation - Education ## Snapshot Trend Micro has released a report detailing the activities of Earth Kasha, a cyberespionage group known for leveraging the LODEINFO malware, primarily targeting entities in Japan. While some researchers suggest a connection to APT10, Trend Micro considers Earth Kasha a distinct entity within the "APT10 Umbrella," a term denoting groups linked to APT10\'s operational methods. This distinction arises from shared tactics and malware but insufficient direct evidence to conflate the two groups entirely. APT10 is tracked by Microsoft as [Purple Typhoon](https://security.microsoft.com/intel-profiles/e2ce50467bf60953a8838cf5d054caf7f89a0a7611f65e89a67e0142211a1745?tab=description&). ## Description Since early 2023, Earth Kasha has expanded its operations beyond Japan to include high-profile targets in Taiwan and India, focusing on government agencies and advanced technology industries. Their recent campaigns exhibit a strategic evolution, using vulnerabilities in public-facing enterprise applications, such as FortiOS/FortiProxy and Array AG, to gain initial access. Post-exploitation activities emphasize persistence, lateral movement, and credential theft, deploying backdoors like LODEINFO, NOOPDOOR, and the Cobalt Strike framework. The LODEINFO malware, central to Earth Kasha\'s campaigns, has undergone continuous development, with new versions observed in recent attacks. This malware is used alongside tools like MirrorStealer, which extracts credentials from browsers and email clients, and NOOPDOOR, a sophisticated backdoor with advanced evasion techniques. These tools enable extensive data theft and infiltration of victim networks. Comparative analysis highlights overlaps between Earth Kasha and other APT10-associated campaigns, particularly in tactics like exploiting SSL-VPN vulnerabilities and abusing legitimate tools for credential harvesting. However, toolsets differ, suggesting operational independence while potentially sharing resources or operators.Trend Micro\'s medium-confidence attribution of Earth Kasha underscores its ties to the broader APT10 network but stops short of confirming direct control. The group\'s distinct operational focus and adaptive methods indicate a specialized role within this cyber threat ecosystem. These findings highlight the complexity of attribution in modern cyber warfare and the evolving capabilities of threat actors like Earth Kasha. ## Microsoft Analysis and Additional OSINT Context The threat actor Microsoft tracks as [Purple Typhoon](https://security.microsoft.com/intel-profiles/e2ce50467bf60953a8838cf5d054caf7f89a0a7611f65e89a67e0142211a1745?tab=description&) is a long-running, targeted activity group which has had success in compromising targets from as early as 2009. This activity group has targeted various government entities and industry sectors such as engineering, critical manufacturing, communications infrastructure, and defense. Most of its activity has been spread across a wide geographic area; however, localized targeting using specific malware families has been observed, which suggests possible subgroups are contained within the wider Purple Typhoon group. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - Turn on [cloud-delivered protection](https://learn.microsoft.com/en-us/defender-endpoint/linux-preferences) in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown threats. - Run [EDR in block mode](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide?ocid=magicti_ta_learndoc) so tha |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | ### #### **© 2009 2023 2024 2024** 21562b1004d5/analystreport 365/security/defender 4b5e 5155 abusing access accessed across action activities activity actor actors adaptive additional advanced af74 against agencies alert alerts all allow alongside analysis antivirus any applications apt10 are area; arises array artifacts associated attacker attacks attribution authority automated aviation backdoor backdoors based been behind between beyond block breach breaches broader browsers but campaign campaigns can capabilities central changes clients cloud cobalt com/en com/intel com/microsoft com/threatanalytics3/9382203e common communications comparative complexity components compromising confidence configure confirming conflate connection considers contained content context continuous control controlled copyright correlation cover credential credentials critical cyber cyberespionage data defend defender defense delivered denoting deploying description detailing detect detected detections/hunting detects development differ difference: direct distinct distinction distribution does early earth ecosystem edr education email emphasize enable enabled endpoint endpoint/attack endpoint/automated endpoint/edr endpoint/enable endpoint/linux endpoint/prevent engineering ensure enterprise entirely entities entity equivalent evasion even evidence evolution evolving exhibit expanded exploitation exploiting extensive extracts facing families findings focus focusing folder folders follow following fortios/fortiproxy framework from full gain gen geographic geolocations government group groups had hardening harvesting has high highlight highlights however html https://learn https://security https://www immediate impact include independence india indicate industries industry infiltration information infrastructure initial insufficient investigation investigations its japan kasha known lateral learndoc learning legitimate leveraging like linked local localized lodeinfo long lsa lsass machine majority malicious malware malware: manage manufacturing medium methods micro microsoft mirrorstealer mitigations mode modern most movement network networks new non noopdoor not observed ocid=magicti operational operations operators osint other overlaps overview part particularly passive permission persistence possible post potentially preferences premises primarily product profile profiles/e2ce50467bf60953a8838cf5d054caf7f89a0a7611f65e89a67e0142211a1745 prohibited protection protection#how protections public purple queries rapidly recent recommendations recommends reduce reducing reduction reference#block references released remediate remediation report reproduction researchers reserved resolve resources rights role rules run running scenes sectors security services settings shared sharing short significantly since site snapshot some sophisticated specialized specific spot spread ssl stealing stops strategic strike subgroups subsystem success such suggest suggesting suggests surface systems tab=description& tactics taiwan take tamper targeted targeting targets techniques technology term theft thereof these threat threats ties tools toolsets tracked tracks transportation trend trendmicro trojan:win32/acll trojan:win32/wacatac turn two typhoon umbrella undergone underscores unknown us/defender us/research/24/k/lodeinfo used using various versions victim view=o365 virtool:win32/sysdupate volume vpn vulnerabilities warfare when which wide wider windows within without works worldwide written your |
| Tags | Malware Tool Vulnerability Threat Prediction |
| Stories | APT 10 |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.