- Chinese hackers found a unique way to target US firms
- The method remained largely hidden until now
- Hackers are mostly interested in espionage, experts claim
Chinese threat actors known as Murky Panda are abusing the trust businesses have in their cloud providers to break into companies, steal sensitive files, and maintain persistence for additional reconnaissance and espionage.
Security researchers at Crowdstrike have revealed how, since 2023, they have seen at least two cases in which Murky Panda exploited zero-day flaws to break into SaaS providers’ cloud environment.
After breaking in, they analyzed their victim’s cloud environment logic, “enabling them to leverage their access to that software to move laterally to downstream customers.”
Silk Typhoon
So, in essence, this is a third-party cyberattack conducted through a cloud-based service provider. However, the method is unique, and that makes it more successful compared to others, more widely reported ones:
“Due to the activity’s rarity, this initial access vector to a victim's cloud environment remains relatively undermonitored compared to more prominent initial access vectors such as valid cloud accounts and exploiting public-facing applications,” Crowdstrike explained.
The researchers also said the threat actor has been active since at least 2023, and that its techniques, tactics, and procedures are quite similar to those of Silk Typhoon, a known Chinese state-sponsored group. Since attribution is often tricky, the researchers hint that this could be Silk Typhoon, a partnering group, or a copycat.
Whoever it is, it seems to be focused on cyber-espionage and intelligence-gathering. Most of its targets are in government, technology, academia, legal, and professional services, located primarily in North America.
When breaking into their initial targets, Murky Panda is using different methods and tools. They were seen leveraging CVE-2023-3519 - a known vulnerability affecting Citrix NetScaler ADC and NetScaler Gateway instances. This flaw is at least two years old, and was abused in the past by different ransomware actors, as well.
In other cases, they were seen compromising different small office/home office (SOHO) devices, too.
You might also like
- Ransomware hackers target major Citrix NetScaler flaw
- Take a look at our guide to the best authenticator app
- We've rounded up the best password managers
