Chinese Hackers Utilize CloudScout Toolset to Harvest Session Cookies from Cloud Services

Oct 28, 2024
Cloud Security / Cyber Attack

A Taiwan-based government entity and a religious organization have fallen victim to the China-linked threat actor known as Evasive Panda. This group employed an undocumented post-compromise toolset called CloudScout. According to ESET security researcher Anh Ho, “The CloudScout toolset can extract data from various cloud services by exploiting stolen web session cookies.” Integrated through a plugin, CloudScout operates in conjunction with MgBot, Evasive Panda’s primary malware framework. The .NET-based malware was detected between May 2022 and February 2023 and comprises 10 C# modules, three of which are specifically designed to steal data from Google Drive, Gmail, and Outlook, while the functions of the remaining modules are still unknown. Evasive Panda, also referred to as Bronze Highland, Daggerfly, and StormBamboo, is a cyber espionage group with a history of targeting various entities.

Chinese Hackers Exploit CloudScout Toolset to Steal Session Cookies from Cloud Services

On October 28, 2024, reports surfaced highlighting the cyber operations of a China-linked threat actor known as Evasive Panda. This group targeted a governmental entity and a religious organization in Taiwan, deploying a previously undocumented post-compromise toolset identified as CloudScout. This sophisticated toolset is designed to extract sensitive information from various cloud services by utilizing stolen web session cookies, according to ESET security researcher Anh Ho.

The CloudScout toolset operates in conjunction with MgBot, the signature malware framework associated with Evasive Panda. This integration allows for seamless data retrieval, enhancing the effectiveness of attacks on potentially vulnerable systems. ESET’s analysis indicates that the use of this .NET-based malware tool was detected between May 2022 and February 2023, featuring ten distinct modules written in C#. Notably, three of these modules are explicitly intended for data extraction from popular platforms such as Google Drive, Gmail, and Outlook, while the functionality of the remaining modules remains unclear.

Evasive Panda, also known by the aliases Bronze Highland, Daggerfly, and StormBamboo, is recognized as a persistent cyber espionage group. The group’s history reveals a pattern of targeting diverse entities, particularly in sectors of strategic importance. Their choice of targets reflects a methodical approach to intelligence gathering, aimed at exploiting gaps in cybersecurity defenses.

In terms of techniques employed during this operation, several MITRE ATT&CK tactics are likely relevant. Initial access may have been gained through phishing or exploiting vulnerabilities within the targeted organizations. Following this, tactics such as persistence could have been established through the installation of the CloudScout toolset to maintain access long after the initial compromise. Additionally, the privilege escalation might have occurred as attackers sought to enhance their control over the compromised systems.

As organizations increasingly rely on cloud services, the risks associated with cyber threats like those posed by Evasive Panda amplify. The incident serves as a poignant reminder of the vulnerabilities inherent in digital environments and underscores the imperative for robust cybersecurity measures. Companies must remain vigilant against such sophisticated attacks, adopting proactive strategies to safeguard their data and infrastructure.

Understanding the evolving landscape of cybersecurity threats is crucial for business owners seeking to mitigate risks in their operations. The incident involving Evasive Panda and the exploitation of the CloudScout toolset illustrates how cyber adversaries continually adapt their approaches, necessitating an ongoing commitment to security best practices. Organizations must invest in comprehensive threat detection and response mechanisms to protect against potential breaches and ensure the integrity of their systems.

Source link