New APT group "CeranaKeeper" abuses Dropbox and Github
In attacks on Thai authorities, cyber criminals captured data by uploading encrypted files to file-sharing services.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
Security researchers at Eset have discovered what they describe as a new group of advanced persistent threat (APT) actors. These are criminal organizations that carry out tailor-made attacks on a target over a longer period of time. Such APTs are often attributed to state institutions such as intelligence agencies.
The group dubbed "CeranaKeeper" by the discoverers is said to have stolen large amounts of sensitive data from an unnamed government agency in Thailand since mid-2023. Among other things, they used tools from the APT group Mustang Panda, which is said to be linked to China. Eset therefore also attributes CeranaKeeper to Chinese actors. However, the new attackers developed additional programs, primarily to smuggle the data out of their target's system as unnoticed as possible.
Github as C&C
According to the security researchers' detailed description, they used Dropbox and OneDrive, among others, to store the captured data. Eset assumes that these frequently used services were used because they make data traffic less noticeable. The information was encrypted so that the target's administrators were not immediately aware of the exfiltration. Another service that was misused for the attack is Github.
There, a private repository served as a command & control server for the attacks. CeranaKeeper disguised its activities by repeatedly closing new pull requests. Tools written for this purpose were still appearing on Github in February 2024, meaning the attacks continued for at least six months. One of the new tools not used by Mustang Panda is called "BingoShell".
Videos by heise
From the domain controller through the network
According to the description, CeranaKeeper first gained access to the foreign network via a single compromised machine. It is not clear from the Eset report how this computer was taken over. However, the following path through the attacked infrastructure is known: The machine carried out brute force attacks against a domain controller on the network, when this was successful they installed the "Toneshell" backdoor, also known as "bespoke stagers".
This system can intercept access data so that the rest of the network was accessible to the attackers. Toneshell has long been associated with Mustang Panda, so there is a connection to other suspected Chinese actors.
Attacks also possible in Europe
Both APT groups have previously attracted attention primarily in Asia. However, Eset assumes that similar attacks could also take place in other regions, including Europe. The security researchers recommend multi-factor authentication and better monitoring of anomalies in the network to protect against this.
In this case, this apparently included the brute force attacks on the domain controller and the transmission of specially encrypted file packets to file sharing services. The EU Cybersecurity Agency had already warned of increasing activity by Chinese APTs at the beginning of 2023.
(nie)
