Southeast Asian telecommunications organizations are targeted by state-sponsored threat actors known as CL-STA-0969, promoting remote control over compromised networks.
Palo Alto Networks Unit 42 said it observed multiple incidents in the region between February and November 2024, including those intended for critical communications infrastructure.
Attacks are characterized by using several tools that allow remote access, similar to the deployment of Cordscan, which allows location data from mobile devices.
However, the cybersecurity company said there was no evidence of data removal from the networks and systems it investigated. Nor was there any effort for attackers to track or communicate target devices within the mobile network.
“The threat actors behind CL-STA-0969 have adopted a variety of defense evasion techniques to maintain high operational security (OPSEC) and avoid detection,” said security researchers Renzon Cruz, Nicholas Bereil and Navin Thomas.
CL-STA-0969 per 42 units shares significant overlap with clusters tracked by Cloud Strike. The name Liminal Panda is a Chinese and Nexus spy that is attributed to attacks directed at Chinese and African telecommunications entities.
It is noteworthy that some aspects of Liminal Panda’s products were attributed to another threat actor, previously known as Lightbasin (aka UNC1945).
“This cluster overlaps significantly with Liminal Pandas, but overlaps of attacker tools with other reported groups and activity clusters, such as Lightbasin, UNC3886, UNC2891, and UNC1945, were also observed,” the researchers noted.
In at least one case, CL-STA-0969 is believed to have adopted a brute force attack on the SSH authentication mechanism for initial compromise, leveraging access to drop various implants such as -.
AuthDoor is a malicious pluggable authentication module (PAM) similar to a slapstick (originally attributed to UNC1945), which enforces credentials and provides permanent access to compromised hosts via hard-coded magic password code scans, network scans, and packet capture utilities (previously due to Liminal Panda), and via Malworty, which designed gtpdoor (previously due to Liminal Panda), is an Echobackdoor adjacent to the GPRS roaming exchange, is a passive backdoor that listens to ICMP echo request packets containing commands and commands (C2) instructions. Listen to UDP traffic on port 53 via raw seding a gotdodd nodems a golage aa gotdodns via telecommunications networks, through firewall restrictions (previously due to liminal pandas), Chronosrat, shellcode execution, file operations, keylog, port forwarding, remote shell, screenshot capture, and proxy ability ability nodepdns, and parse incoming commands via DNS messages
“CL-STA-0969 utilized various shell scripts that established reverse SSH tunnels along with other features,” said researchers at Unit 42. “CL-STA-0969 systematically clears and deletes executables when they are no longer needed to maintain advanced OPSEC.”
Achieves programs (CVE-2016-5195, CVE-2021-4034, and CVE21-56) that leverage the flaws of microsock proxy, Fast Reverse Proxy (FRP), FSCAN, Responder, and Proxychains, as well as programs that leverage the flaws of Linux and UNIX-based systems, as well as Linux-2021-4034, and CVE21-56. escalation.
In addition to using a combination of bespoke and published tools, threat actors have been found to employ many strategies to fly under the radar. This includes DNS tunneling for traffic, routing traffic through compromised mobile operators, clearing authentication logs, disabling enhanced security Linux (SELINUX), and impersonating process names with a compelling name that matches the target environment.
“CL-STA-0969 demonstrates a deep understanding of communications protocols and infrastructure,” Unit 42 states. “Its malware, tools and techniques reveal a calculated effort to maintain sustainable, stealth access. This was achieved by proxying traffic through other communication nodes, tunneling data using less skilled protocols, and employing a variety of defense evasion techniques.”
China accuses US institutions of targeting military and research institutions
The disclosure is that the National Computer Network Emergency Response Technical Team/China Coordination Center (CNCERT) accused Microsoft Exchange Zero-Day Exploit of weaponizing its Microsoft Exchange Zero-Day Exploit from July 2022 to July 2023 to weaponizing its Microsoft Exchange Zero-Day Exploit to steal and hijack more than 50 devices belonging to “China’s leading military companies” between July 2022 and July 2023.
The agency also said high-tech military-related universities, scientific research institutes and domestic companies have targeted as part of these attacks to suck up valuable data from compromised hosts. CNCERT allegedly found that Chinese military companies in the communications and satellite internet sector were attacked between July and November 2024 by exploiting vulnerabilities in electronic file systems.
Attribute efforts reflect Western tactics, which have repeatedly denounced major cyberattacks and counted the latest zero-day leverage of Microsoft SharePoint servers.
Asked last month about hacking into the US telecom system and theft of intellectual property on Fox News, President Donald Trump said, “Don’t we think we’ll do that to them? We do a lot. That’s the work of the world. It’s a nasty world.”
Source link
