Mustang Panda Hackers from China Target TP-Link Routers for Ongoing Attacks

May 16, 2023
Network Security / Threat Intelligence

The Chinese state-sponsored group known as Mustang Panda has been connected to a series of sophisticated, targeted attacks aimed at European foreign affairs entities since January 2023. According to researchers Itay Cohen and Radoslaw Madej from Check Point, these intrusions involve a custom firmware implant specifically designed for TP-Link routers. This implant includes several malicious components, featuring a custom backdoor dubbed “Horse Shell” that allows attackers to maintain persistent access, establish anonymous infrastructure, and facilitate lateral movement within compromised networks. Furthermore, the implant’s firmware-agnostic design enables its components to be integrated into various firmware from different vendors. The Israeli cybersecurity firm is monitoring this threat group, also known as Camaro Dragon, along with other aliases such as BASIN, Bronze President, Earth Preta, HoneyMyte, RedDelta, and Red Lich.

Mustang Panda Hackers Target European Foreign Affairs with TP-Link Router Exploit

On May 16, 2023, it was reported that the Chinese state-sponsored hacking group, known as Mustang Panda, has orchestrated a series of sophisticated and targeted attacks against European foreign affairs organizations since January 2023. This alarming development highlights the increasing sophistication of cyber threats emanating from this nation-state actor.

Recent analysis conducted by cybersecurity researchers Itay Cohen and Radoslaw Madej from Check Point has unveiled that these attacks involve the deployment of custom firmware implants specifically designed for TP-Link routers. These malicious enhancements contain several nefarious components, one of which is a backdoor referred to as ‘Horse Shell.’ This backdoor allows attackers to maintain persistent access to compromised networks, facilitate lateral movement, and establish anonymous infrastructure, thereby expanding their control over target systems. Importantly, the design of this implant is firmware-agnostic, making it adaptable to various router firmware versions from different vendors.

Mustang Panda has been operating under various aliases, including Camaro Dragon, BASIN, Bronze President, Earth Preta, HoneyMyte, RedDelta, and Red Lich. These multiple names reflect the group’s extensive history and evolving tactics in the realm of cybersecurity threats.

The targets of these recent attacks have primarily been entities involved in foreign affairs across Europe, a concerning focus given the geopolitical tensions and the sensitive nature of the information handled by these organizations. Such targeting raises significant alarm bells regarding the potential for information theft and geopolitical espionage.

From an operational perspective, the tactics leveraged by Mustang Panda can be mapped onto the MITRE ATT&CK framework, particularly in areas related to initial access, persistence, and lateral movement. The use of the ‘Horse Shell’ backdoor illustrates a clear strategy to establish persistence once access is gained, while the capability for lateral movement indicates a methodical approach to infiltrating deeper layers of network defenses.

The implications of these developments are significant for business owners, particularly those whose organizations may share data or engage in partnerships with foreign affairs entities. As Mustang Panda demonstrates a consistent pattern of exploiting vulnerabilities in widely used hardware, the risks extend beyond the immediate targets to anyone connected to these networks.

In summary, the emerging tactics employed by Mustang Panda serve as a reminder that cybersecurity vigilance is essential in today’s interconnected world. Organizations must prioritize robust cybersecurity measures, especially in light of these sophisticated threats, to safeguard their networks against similar vulnerabilities.

Source link

Related Posts

Researchers Discover Advanced Backdoor and Custom Implant in Year-Long Cyber Operation

May 15, 2023
Cyber Threat / Malware

A fresh cyber threat has emerged, targeting government, aviation, education, and telecom sectors across South and Southeast Asia. This campaign, linked to a newly identified hacking group, began in mid-2022 and extended into early 2023. Symantec, a division of Broadcom Software, has dubbed this activity “Lancefly,” identifying a sophisticated backdoor known as Merdoor. Investigation reveals that this custom implant may have been in use as early as 2018. The campaign’s objectives appear to focus on intelligence gathering, given the tools employed and the specific targets chosen. According to Symantec’s analysis shared with The Hacker News, “The backdoor is deployed very selectively, impacting only a limited number of networks and devices over the years, indicating a highly targeted approach.” Additionally, the attackers appear to possess an updated version of the ZXShell rootkit.

Rising China-Taiwan Tensions Ignite Sharp Increase in Cyber Attacks

May 18, 2023
Cyber Warfare / Threat Intelligence

Recent geopolitical strains between China and Taiwan have led to a significant rise in cyber attacks targeting the island nation. According to a report from the Trellix Advanced Research Center, “The conflict stemming from China’s claim over Taiwan, combined with Taiwan’s push for independence, has resulted in a troubling escalation of cyber threats.” These attacks, aimed at various sectors, primarily focus on deploying malware and stealing sensitive data. The cybersecurity firm noted a staggering four-fold increase in malicious emails between April 7 and April 10, 2023, with sectors such as networking, manufacturing, and logistics being particularly affected. Following this surge, the region saw a 15x spike in PlugX detections between April 10 and April 12, 2023.

Beware the ZIP File: Phishers Exploit .ZIP Domains to Deceive Victims

May 29, 2023
Cyber Threat / Online Security

A new phishing technique dubbed “file archiver in the browser” is being used to imitate file archiver software, such as WinRAR, within web browsers when victims visit a .ZIP domain. Security researcher mr.d0x revealed that this phishing attack involves creating a realistic landing page using HTML and CSS to mimic genuine file archive software, hosted on a .ZIP domain to enhance its legitimacy.

In a typical attack, cybercriminals can redirect users to a credential theft page when they click on a file that appears to be included within the fake ZIP archive. Another alarming tactic involves listing a harmless non-executable file, only for the actual download to be an executable file instead, as noted by mr.d0x…