- Chinese hackers found a unique way to target US companies
- The method remained largely hidden until now
- Hackers are mostly interested in espionage, experts claim
Chinese threat actors known as Murky Panda abuse the trust companies in their sky providers to break into businesses, steal sensitive files and maintain persistence for further reconnaissance and espionage.
Security researchers at Crowdstrike have revealed how since 2023 they have seen at least two cases where grim panda utilized zero-day deficiencies to break into SaaS providers’ ski environment.
After breaking in, they analyzed their victim’s cloud of skybearing, “which enabled them to utilize their access to this software to move laterally to downstream customers.”
Silk Typhon
So, essentially, this is a third -party cyberattack that is performed through a cloud -based service provider. However, the method is unique, and it makes it more successful compared to others, more widely reported:
“Due to the rarity of the activity, this initial access vector remains to a victim’s cloud environment relatively underwater compared to more prominent initial access vectors, such as valid Sky accounts and utilization of publicly related applications,” crowdstrike explained.
The researchers also said that the threat actor has been active since at least 2023 and that its techniques, tactics and procedures are similar to those in Silk Typhoon, a well -known Chinese state -sponsored group. Since attribution is often difficult, researchers suggest that this may be Silky -Tyfon, a collaborative group or a copycat.
Whatever it is, it seems to be focused on cyber espionage and intelligence collection. Most of its goals are in government, technology, academia, legal and professional services that are primarily in North America.
When you break into their original goals, Farmy Panda uses different methods and tools. They were seen utilizing the CVE-2023-3519-one known vulnerability affecting Citrix Netscaler ADC and Netscaler Gateway deposits. This error is at least two years old and was also abused by various ransomware actors.
In other cases, they were also looked at compromise with various small office/home office (Soho) devices.
