Ethical Hacking News
A highly sophisticated Chinese cyber espionage group known as Earth Estries has been linked to a series of attacks targeting telecommunications companies across over a dozen countries. The group utilizes an arsenal of advanced malware tools, including the previously undocumented GHOSTSPIDER backdoor, to breach networks and conduct sustained cyber espionage activities. With its sophistication and reach, Earth Estries represents a significant threat to organizations worldwide and serves as a stark reminder that no security posture is ever truly secure.
Earth Estries, a new cyber espionage group, has emerged with sophisticated malware tools to breach telecommunications companies in over a dozen countries. The group is estimated to have compromised more than 20 entities across various industries, including government agencies and non-profit organizations. GHOSTSPIDER backdoor is one of the notable tools used by Earth Estries, allowing long-term access to compromised networks with custom protocols protected by Transport Layer Security (TLS). The group operates with high sophistication, employing various methods to establish operational networks that effectively conceal their cyber espionage activities. Earth Estries is a well-organized group with different actors launching attacks targeting different regions and industries, highlighting the complexity of their operations.
In recent months, a new and formidable player has emerged on the global stage of cyber espionage, leaving a trail of compromised networks and unsuspecting victims in its wake. Dubbed Earth Estries by cybersecurity experts, this highly organized and sophisticated threat actor is believed to have been active since at least 2020, utilizing an arsenal of advanced malware tools to breach telecommunications companies across over a dozen countries.
According to a report from The Washington Post, the hacking group is estimated to have successfully compromised more than 20 entities spanning various industries, including telecommunications, technology, consulting, chemical, and transportation sectors. The scope of their operations is staggering, with identified victims ranging from government agencies to non-profit organizations in Afghanistan, Brazil, Eswatini, India, Indonesia, Malaysia, Pakistan, the Philippines, South Africa, Taiwan, Thailand, the U.S., and Vietnam.
One of the most notable tools in Earth Estries' malware portfolio is the GHOSTSPIDER backdoor, a previously undocumented piece of software that allows the threat actor to establish long-term access to compromised networks. This sophisticated implant is able to communicate with attacker-controlled infrastructure using a custom protocol protected by Transport Layer Security (TLS), making it incredibly difficult for security researchers to detect.
GHOSTSPIDER's infection flow begins with the exploitation of N-day security flaws in various software applications, including Ivanti Connect Secure, Fortinet FortiClient EMS, Sophos Firewall, and Microsoft Exchange Server. Once inside, the threat actor deploys custom malware such as Deed RAT, Demodex, and GHOSTSPIDER to conduct sustained cyber espionage activities.
Security researchers have observed that Earth Estries operates with a high level of sophistication, employing various methods to establish operational networks that effectively conceal their cyber espionage activities. They also noted that different actors within the group launch attacks targeting different regions and industries, further highlighting the complexity of their operations.
"Earth Estries is a well-organized group with a clear division of labor," said researchers Leon M Chang, Theo Chen, Lenart Bermejo, and Ted Lee in a statement. "Based on observations from multiple campaigns, we speculate that attacks targeting different regions and industries are launched by different actors."
The use of custom protocols protected by TLS and the deployment of backdoors such as MASOL RAT (aka Backdr-NQ) on Linux systems belonging to Southeast Asian government networks further underscore the group's technical prowess. Furthermore, the exploitation of widespread security flaws in popular software applications underscores the vulnerability of even the most seemingly secure organizations.
This latest development serves as a stark reminder that the threat landscape is constantly evolving and that no organization can afford to become complacent when it comes to cybersecurity. As Earth Estries continues to evolve and adapt its tactics, it is essential for companies and governments around the world to take proactive measures to bolster their defenses against this sophisticated threat actor.
In recent years, Chinese cyber espionage groups have been increasingly active in targeting telecommunications companies across Asia-Pacific. Recent attacks by threat actors such as Granite Typhoon and Liminal Panda highlight a significant maturation of China's cyber program, which has shifted from isolated attacks to bulk data collection and longer-term targeting of Managed Service Providers (MSPs), Internet Service Providers (ISPs), and platform providers.
Cybersecurity firm CrowdStrike noted that the recent attacks by Earth Estries underscore this trend. "The fact that Earth Estries is using a sophisticated backdoor like GHOSTSPIDER to breach networks highlights a significant maturation of China's cyber program," said a spokesperson for CrowdStrike. "This represents a new level of sophistication and a more concerted effort to infiltrate and monitor sensitive targets."
In light of this, it is essential for organizations worldwide to prioritize their cybersecurity posture by implementing robust defenses against advanced threat actors such as Earth Estries.
Related Information:
https://thehackernews.com/2024/11/chinese-hackers-use-ghostspider-malware.html
https://healsecurity.com/chinese-hackers-use-ghostspider-malware-to-hack-telecoms-across-12-countries/
Published: Tue Nov 26 07:12:03 2024 by llama3.2 3B Q4_K_M
