securityonline.info
Open in
urlscan Pro
2600:1f10:4c55:e23d:5d5b:8bb5:8ae2:1fff
Public Scan
URL:
https://securityonline.info/cve-2024-21887-and-more-how-earth-estries-apt-group-exploits-vpns-servers/
Submission: On November 29 via api from IN — Scanned from CA
Submission: On November 29 via api from IN — Scanned from CA
Form analysis 3 forms found in the DOM
https://securityonline.info/
<form role="search" class="search-form" action="https://securityonline.info/"><label><span class="screen-reader-text">Search for:</span>
<input type="search" class="search-field" placeholder="Search …" name="s"></label>
<input type="submit" class="search-submit" value="Search">
</form>https://securityonline.info/
<form role="search" class="search-form" action="https://securityonline.info/"><label><span class="screen-reader-text">Search for:</span>
<input type="search" class="search-field" placeholder="Search …" name="s"></label>
<input type="submit" class="search-submit" value="Search">
</form><form class="gsc-search-box gsc-search-box-tools" accept-charset="utf-8">
<table cellspacing="0" cellpadding="0" role="presentation" class="gsc-search-box">
<tbody>
<tr>
<td class="gsc-input">
<div class="gsc-input-box" id="gsc-iw-id1">
<table cellspacing="0" cellpadding="0" role="presentation" id="gs_id50" class="gstl_50 gsc-input" style="width: 100%; padding: 0px;">
<tbody>
<tr>
<td id="gs_tti50" class="gsib_a"><input autocomplete="off" type="text" size="10" class="gsc-input" name="search" title="search" aria-label="search" id="gsc-i-id1" dir="ltr" spellcheck="false"
style="width: 100%; padding: 0px; border: none; margin: 0px; height: auto; background: url("https://www.google.com/cse/static/images/1x/en/branding.png") left center no-repeat rgb(255, 255, 255); outline: none;"></td>
<td class="gsib_b">
<div class="gsst_b" id="gs_st50" dir="ltr"><a class="gsst_a" href="javascript:void(0)" title="Clear search box" role="button" style="display: none;"><span class="gscb_a" id="gs_cb50" aria-hidden="true">×</span></a></div>
</td>
</tr>
</tbody>
</table>
</div>
</td>
<td class="gsc-search-button"><button class="gsc-search-button gsc-search-button-v2"><svg width="13" height="13" viewBox="0 0 13 13">
<title>search</title>
<path
d="m4.8495 7.8226c0.82666 0 1.5262-0.29146 2.0985-0.87438 0.57232-0.58292 0.86378-1.2877 0.87438-2.1144 0.010599-0.82666-0.28086-1.5262-0.87438-2.0985-0.59352-0.57232-1.293-0.86378-2.0985-0.87438-0.8055-0.010599-1.5103 0.28086-2.1144 0.87438-0.60414 0.59352-0.8956 1.293-0.87438 2.0985 0.021197 0.8055 0.31266 1.5103 0.87438 2.1144 0.56172 0.60414 1.2665 0.8956 2.1144 0.87438zm4.4695 0.2115 3.681 3.6819-1.259 1.284-3.6817-3.7 0.0019784-0.69479-0.090043-0.098846c-0.87973 0.76087-1.92 1.1413-3.1207 1.1413-1.3553 0-2.5025-0.46363-3.4417-1.3909s-1.4088-2.0686-1.4088-3.4239c0-1.3553 0.4696-2.4966 1.4088-3.4239 0.9392-0.92727 2.0864-1.3969 3.4417-1.4088 1.3553-0.011889 2.4906 0.45771 3.406 1.4088 0.9154 0.95107 1.379 2.0924 1.3909 3.4239 0 1.2126-0.38043 2.2588-1.1413 3.1385l0.098834 0.090049z">
</path>
</svg></button></td>
<td class="gsc-clear-button">
<div class="gsc-clear-button" title="clear results"> </div>
</td>
</tr>
</tbody>
</table>
</form>Text Content
Skip to content
Cybersecurity News
* Search for:
* Home
* Cyber Security
* Data Leak
* Linux
* Malware Attack
* Open Source Tool
* Technology
* Vulnerability
* Windows
* Home
* Cyber Security
* Data Leak
* Linux
* Malware Attack
* Open Source Tool
* Technology
* Vulnerability
* Windows
Search for:
Cybersecurity News
* Cyber Security / Malware / Vulnerability
CVE-2024-21887 AND MORE: HOW EARTH ESTRIES APT GROUP EXPLOITS VPNS & SERVERS
by do son · November 26, 2024
Campaign Alpha overview | Image: Trend Micro
1. x
Please enable JavaScript
Video Player is loading.
Play Video
Pause
Unmute
Current Time 0:10
/
Duration 35:22
00:10
Remaining Time -35:12
1x
Playback Rate
* 2x
* 1.5x
* 1x, selected
* 0.5x
Captions
* captions off, selected
* American English Captions
Watch on Humix
Auto(360pLQ)
* Back
* 1080pFHD
* 720pHD
* Auto(360pLQ)
Settings
ShareFullscreen
2. 1. Now Playing
Up NextAzure Security Strategies you ought to know
35:22
2. Now Playing
Up NextMastering VPNs: Your Ultimate Guide to Secure Online Navigation
6:53
3. Now Playing
Up NextCybersecurity Explained_ Protecting Your Digital World
2:35
4. Now Playing
Up NextMalicious Intent: Microsoft and OpenAI Identify APT Groups
Weaponizing GenAI LLMs
2:44
5. Now Playing
Up NextRaise the bar for Azure Security by MVP Charbel Nemnom
1:00:18
6. Now Playing
Up NextCloud Security Demystified - AMA ft. Vijeta Pai
52:10
7. Now Playing
Up NextMastering Cloud Computing- Ultimate Guide to Best Practices for
Cloud Security, Seamless Migration
9:51
8. Now Playing
Up NextIs Your VPN Leaking
12:34
9. Now Playing
Up NextDeveloping with Kinect for Azure - Understanding the human body
by Andreas Erben
50:59
10. Now Playing
Up NextAzure Kubernetes Service - Unleash The Power! by Allen O’Neill
|| Azure Virtual Conference
45:28
11.
x
Please enable JavaScript
Video Player is loading.
Play Video
Play
Mute
Current Time 0:00
/
Duration 35:22
00:00
Remaining Time -35:22
1x
Playback Rate
Captions
Picture-in-PictureWatch on Humix
Settings
* Settings
* SubtitlesCaptions Off
* Speed1x
* Qualityauto
* Back
* captions off, selected
* American English Captions
* Back
* 2x
* 1.5x
* 1x, selected
* 0.5x
* Back
* 1080pFHD
* 720pHD
* Auto(360pLQ)
Auto(360pLQ)
ShareFullscreen
Azure Security Strategies you ought to know
Share
Watch on
Azure Security Strategies you ought to know
In a detailed report from Trend Micro, the Chinese advanced persistent threat
(APT) group Earth Estries, also known by aliases like Salt Typhoon and
GhostEmperor, has emerged as a significant cyber espionage actor since 2023.
Targeting critical sectors such as telecommunications, government entities, and
NGOs, the group has left its mark across the US, Asia-Pacific, Middle East, and
Africa. Their operations have also extended to industries including technology,
consulting, and transportation, compromising over 20 organizations worldwide.
Earth Estries employs a mix of sophisticated tools and strategies, including
three proprietary backdoors: GHOSTSPIDER, SNAPPYBEE, and MASOL RAT. These tools
are often deployed after exploiting public-facing server vulnerabilities, such
as those in Ivanti Connect Secure VPN (CVE-2023-46805, CVE-2024-21887), Fortinet
FortiClient EMS (CVE-2023-48788), and Microsoft Exchange servers through the
notorious ProxyLogon exploit chain. These backdoors enable the group to
establish long-term footholds in targeted networks.
One of their most notable tools, GHOSTSPIDER, is a modular backdoor designed for
stealth and adaptability. It utilizes a multi-layered architecture, loading
different modules based on specific tasks. The report states, “This backdoor
communicates with its C&C server using a custom protocol protected by Transport
Layer Security (TLS), ensuring secure communication.”
The group’s primary focus has been on Southeast Asia, where they have targeted
governments and telecommunications companies. A particularly concerning
discovery was their use of the DEMODEX rootkit, which was implanted on vendor
machines associated with major telecommunications providers. This strategy
allowed them to infiltrate larger networks and gather sensitive intelligence
more effectively.
The overlap between Earth Estries’ tactics and those of other Chinese APT
groups, such as FamousSparrow and GhostEmperor, suggests the possible use of
shared tools sourced from malware-as-a-service (MaaS) providers. For example,
SNAPPYBEE, a modular backdoor widely associated with Chinese APTs, has been a
recurring tool in Earth Estries’ arsenal.
The report emphasizes the difficulty in detecting Earth Estries’ activities, as
they rely heavily on living-off-the-land binaries (LOLBINs) like WMIC.exe and
PsExec for lateral movement within networks. Their use of encrypted
communication and modular malware complicates traditional detection methods.
As Trend Micro aptly concludes: “Earth Estries conducts stealthy attacks that
start from edge devices and extend to cloud environments, making detection
challenging. They employ various methods to establish operational networks that
effectively conceal their cyber espionage activities, demonstrating a high level
of sophistication in their approach to infiltrating and monitoring sensitive
targets.” For businesses and governments alike, understanding the intricacies of
such groups is key to building resilient defenses against cyber-espionage.
For the full technical analysis and indicators of compromise, visit Trend
Micro’s official blog.
RELATED POSTS:
* Earth Estries’ Evolving Toolkit: A Deep Dive into Their Advanced Techniques
* Earth Lusca: China-Linked Espionage Group Targets Taiwan, Exploits
Geopolitical Tensions
* Earth Baku APT Group Expands Global Reach with Advanced Techniques
* Earth Preta’s Cyber Arsenal Expands: New Malware and Strategies Target APAC
Governments
* Earth Simnavaz Exploits Windows Kernel Flaw CVE-2024-30088 in Attacks on
Critical Infrastructure
Share
Tags: CVE-2024-21887DEMODEX rootkitEarth EstriesEarth Estries APT
groupGhostEmperorMASOL RATProxyLogonSalt TyphoonSNAPPYBEE
Follow:
*
*
*
*
*
SEARCH
×
search
Visit Penetration Testing Tools & The Information Technology Daily
Support Securityonline.info site. Thanks!
* Vulnerability
CVE-2024-45656: A 9.8 Severity Threat to IBM Power Systems Security
October 29, 2024
* Vulnerability
QNAP Patches Zero-Day Flaw CVE-2024-50389 in QuRouter Following Pwn2Own
Ireland 2024 Exploits
November 4, 2024
* Vulnerability
Dell SmartFabric OS10 Receives Important Security Updates
November 12, 2024
* Vulnerability
CVE-2024-0012 and CVE-2024-9474: Actively Exploited Vulnerabilities Impact
Palo Alto Networks PAN-OS
November 18, 2024
* Vulnerability
CVE-2024-10126 & CVE-2024-10127: M-Files Addresses File Inclusion and
Authentication Bypass Flaws
November 21, 2024
Reward
BRILLIANTLY
SAFE!
securityonline.info
CONTENT & LINKS
Verified by Sur.ly
2022
WEBSITE
1. About SecurityOnline.info
2. Advertise on SecurityOnline.info
3. Contact
* About Us
* Contact Us
* Disclaimer
* Privacy Policy
* DMCA NOTICE
* Sponsors
* Join Us
* Member Login
* Thank You
* Membership Renewal
Cybersecurity News © 2024. All Rights Reserved.
*
*
*
*
*
x
x
Please enable JavaScript
Play
Mute
Current Time 0:00
/
Duration 0:00
Remaining Time -0:00
1x
Playback Rate
Captions
* captions off, selected
Picture-in-PictureFullscreen
3 ✕ Here are some notifications you missed: Here are some notifications you
missed: Recent Notifications Recent Notifications CVE-2024-11667: Critical
Vulnerability in Zyxel Firewalls Actively Exploited 6 hours ago Zero-Day in
Active Directory Certificate Services: Researcher Exposes CVE-2024-49019 with
PoC 7 hours ago Evasive Malware Campaign Leverages CleverSoar Installer &
Nidhogg Rootkit 7 hours ago Error. Try later. You have blocked Push
Notifications. Follow these instructions to enable Push Notifications. Subscribe
to receive push notifications on latest updates You are unsubscribed to Push
Notifications You are subscribed to Push Notifications SUBSCRIBE SUBSCRIBE
UNSUBSCRIBE ⚡ by Webpushr
Would you like to receive notifications on latest updates? YES NOT YET
X CVE-2024-11667: Critical Vulnerability in Zyxel Firewalls Actively Exploited 6
hours ago