June 4, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Multiple Cisco Products Vulnerabilities
September 6, 2024
Multiple WordPress Plugins Vulnerabilities
September 6, 2024
Multiple Cisco Products Vulnerabilities
September 6, 2024
Multiple WordPress Plugins Vulnerabilities
September 6, 2024
Severity
High
Analysis Summary
A Chinese threat actor tracked as APT23 has been launching a sustained cyberattack against unidentified Middle Eastern and Malaysian government institutions since June 2023.
This group has taken a new strategic step when its tactics, techniques, and procedures (TTPs) are discovered in important Middle Eastern governmental organizations, especially those that are involved in human rights studies. The activity was discovered in June 2024, according to the researchers, when a public web server running the open-source Umbraco content management system (CMS) discovered a new version of the China Chopper web shell—a tool used by many Chinese-speaking threat actors for remote access to compromised servers.
The malware implant called Crowdoor, a variation of the SparrowDoor backdoor that was first reported in September 2021, is what the attack chain intended to deliver. In the end, the endeavor was a failure. APT23, also going by the aliases Tropic Trooper, Earth Centaur, KeyBoy, and Pirate Panda, is well-known for targeting Taiwan, Hong Kong, and the Philippines' high-tech, healthcare, and government sectors. According to assessments, the Chinese-speaking collective has been active since 2011 and has strong connections to another intrusion set known as FamousSparrow.
The most recent intrusion is noteworthy for assembling the China Chopper web shell as a .NET module of Umbraco CMS. Subsequent exploitation results in the deployment of tools for defense evasion, network scanning, and lateral movement, which is then used to launch Crowdoor through the use of DLL side-loading techniques.
Web applications that are open to the public, including Adobe ColdFusion (CVE-2023-26360) and Microsoft Exchange Server (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207), are thought to be the source of the web shells. First discovered in June 2023, Crowdoor serves as a loader for Cobalt Strike and keeps running on compromised systems. It also acts as a backdoor to gather private data, initiate a reverse shell, erase more malware files, and shut down.
The actor attempted to upload fresher samples to avoid detection after learning that their backdoors had been found, which raised the possibility that their new samples would soon be discovered. The fact that a Chinese-speaking actor was observed attacking a content management platform that disseminated research on Middle Eastern human rights, with a particular emphasis on the circumstances surrounding the Israel-Hamas conflict, makes this incursion significant. This particular piece of content was purposefully targeted during the attack, as the intrusion analysis showed. The attack was directed only at this system.
Impact
- Unauthorized Access
- Security Bypass
- Cyber Espionage
- Sensitive Information Theft
Indicators of Compromise
Domain Name
- techmersion.com
MD5
- 149a9e24dbe347c4af2de8d135aa4b76
- 103e4c2e4ee558d130c8b59bfd66b4fb
- e0d9215f64805e0bff03f4dc796fe52e
- 27c558bd42744cddc9edb3fa597d0510
- fd8382efb0a16225896d584da56c182c
- 1dd03936baf0fe95b7e5b54a9dd4a577
SHA-256
- ea2f8884fee1b5a10a0286c5acfb283a60b97b0a3325508b38900b16255e5589
- 3dd2a588b9e269b780bd7648db581d0e64c92a05588fe72a836c4e48641a826f
- 9ba6c63e29b26174e52a519c1afe7a4401e65485fd6ce6a2d574d910dd1d8d22
- efc0d2c1e05e106c5c36160e17619a494676deb136fb877c6d26f3adf75a5777
- 9dff4c8f403338875d009508c64a0e4d4a5eeac191d7654a7793c823fb8e3018
- 98af7888655b8bcac49b76c074fc08877807ac074fb4e81a6cacfd1566d52f12
SHA-1
- 04c53129625bca1260f98dc09a7299d0c6ccd37d
- 0800d86d6566e984289e2fb691c089628f933fd4
- 69112c87f67dd2a0be79e57323aeb28874d5fb08
- aec942cc4351f194490915c2709bdad45a0212d6
- d0425bd60c524402c3120db41ecaab27374810c0
- 3dd3a4381dc859a0cdf8b5732838efbca1760473
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Emails from unknown senders should always be treated with caution.
- Never trust or open links and attachments received from unknown sources/senders.
- Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
- Enable antivirus and anti-malware software and update signature definitions on time. Using multi-layered protection is necessary to secure vulnerable assets.
- Maintain daily backups of all computer networks and servers.
- Keep operating systems and software up to date as threat actors often exploit vulnerabilities in software and operating systems. Keeping these up to date can help prevent vulnerabilities from being exploited.
- Implementing strong password policies and multifactor authentication can make it more difficult for attackers to gain access.
- Provide regular security awareness training for employees that can help them recognize phishing emails and other types of social engineering attacks that are commonly used to spread malware.
