Ethical Hacking News
Chinese hackers have been using a toolset codenamed CloudScout to steal session cookies from cloud services, leaving experts to wonder about the implications of this malicious activity. This sophisticated attack highlights the ongoing cat-and-mouse game between hackers and cybersecurity professionals, emphasizing the need for organizations to remain vigilant in the face of emerging threats.
Chinese hackers using Evasive Panda group's CloudScout toolset stole session cookies from cloud services. The toolset, implemented as an extension to MgBot malware framework, has 10 modules written in C#. Three modules steal data from Google Drive, Gmail, and Outlook, while remaining seven modules' purpose is unknown. The CloudScout toolset hijacks authenticated sessions by stealing cookies and gaining unauthorized access to cloud-based services. The implications of this discovery are significant due to recent security mechanisms introduced by Google to prevent cookie-theft malware. This incident highlights the ongoing cat-and-mouse game between hackers and cybersecurity professionals.
Chinese hackers have been making waves in the cybersecurity world, and their latest move has left experts scratching their heads. According to a recent report by ESET security researcher Anh Ho, a group of Chinese hackers known as Evasive Panda has been using a toolset codenamed CloudScout to steal session cookies from cloud services. This malicious activity has significant implications for the security of cloud-based applications and services.
The use of the CloudScout toolset was detected between May 2022 and February 2023, and it incorporates 10 different modules written in C#. Three of these modules are specifically designed to steal data from Google Drive, Gmail, and Outlook. The purpose of the remaining seven modules remains unknown, leaving experts to speculate about their potential uses.
The CloudScout toolset is implemented as an extension to MgBot, a malware framework used by Evasive Panda. This framework has been linked to numerous cyber espionage operations targeting entities across Taiwan and Hong Kong. The use of initial access vectors such as newly disclosed security flaws and DNS poisoning to breach victim networks and deploy MgBot and Nightdoor further highlights the sophistication of this threat actor.
At its core, the CloudScout toolset is designed to hijack authenticated sessions in web browsers by stealing cookies and using them to gain unauthorized access to cloud-based services. Each module is deployed through an MgBot plugin programmed in C++. The CommonUtilities package provides all necessary low-level libraries for the modules to run, allowing developers more flexibility and control over the inner workings of their implant.
This custom-implemented library includes several key components such as HTTPAccess, which handles HTTP communications; ManagedCookie, which manages cookies for web requests between CloudScout and targeted services; Logger, which logs system activity; and SimpleJSON, which processes JSON data. The information gathered by these modules is compressed into a ZIP archive for subsequent exfiltration by either MgBot or Nightdoor.
The implications of this discovery are significant, particularly in light of recent security mechanisms introduced by Google such as Device Bound Session Credentials (DBSC) and App-Bound Encryption. These measures are designed to render cookie-theft malware obsolete, but the use of CloudScout highlights the ongoing cat-and-mouse game between hackers and cybersecurity professionals.
Furthermore, this incident is part of a larger trend of state-sponsored threat actors expanding their operations into new territories. The Government of Canada has recently accused a "sophisticated state-sponsored threat actor" from China of conducting broad reconnaissance efforts spanning several months against numerous domains in Canada. This incident serves as a reminder that the cybersecurity landscape is constantly evolving, and organizations must remain vigilant to protect themselves against emerging threats.
In conclusion, the use of the CloudScout toolset by Evasive Panda highlights the sophistication and complexity of modern cyber espionage operations. As cybersecurity professionals and organizations continue to adapt to these new threats, it is essential to stay informed about emerging trends and technologies. By doing so, we can better equip ourselves to defend against sophisticated attacks and protect our sensitive data.
Related Information:
https://thehackernews.com/2024/10/chinese-hackers-use-cloudscout-toolset.html
https://www.welivesecurity.com/2023/04/26/evasive-panda-apt-group-malware-updates-popular-chinese-software/
https://thehackernews.com/2023/04/chinese-hackers-using-mgbot-malware-to.html
Published: Mon Oct 28 12:54:37 2024 by llama3.2 3B Q4_K_M
