In 2024, threat actor Salt Typhoon (known as “Earth Estries”, “GhostEmperor”, “FamousSparrow”, and “UNC2286”) has been attributed to a series of cyber-attacks targeting U.S. telecommunications companies. The group’s primary focus is cyberespionage and it’s notorious for targeting government entities as well as global organisations including the telecommunications sector. Salt Typhoon exploits internet-facing systems by leveraging living-off-the-land binaries (LOLBINs) like WMIC.exe, PSEXEC.exe for lateral movement and customised malware to establish and maintain persistence.
Modus Operandi
Initial access is achieved typically through exploiting vulnerabilities in public-facing endpoints such as:
- CVE-2023-46805, CVE-2024-21887 (Ivanti Connect Secure VPN): Exploiting vulnerabilities in Ivanti VPN products to bypass authentication and execute arbitrary commands.
- CVE-2023-48788 (Fortinet FortiClient EMS): Allowing attackers to execute remote code on affected servers.
- CVE-2022-3236 (Sophos Firewall): A code injection vulnerability that enables remote code execution
- CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065 (Microsoft Exchange – ProxyLogon): vulnerability allows threat actors to exploit on-premise Exchange servers and enable remote code execution (RCE).
Once infiltrated into the targeted network, Salt Typhoon leverages a combination of custom malware and legitimate tools to move laterally across the network, gain persistence, exfiltrate data, and maintain long-term access.
Tools, Tactics and Techniques
Trend Micro has identified the GhostSpider backdoor as being the key tool used by the group. The modular backdoor uses advanced encryption techniques to evade detection and operates entirely in memory to avoid tracing. The backdoor is loaded on the system using DLL hijacking and registered via regsvr32.exe tool, meanwhile a secondary module which is the beacon loader is loading encrypted payloads directly into memory. GhostSpider conceals communication in HTTPS headers and cookies, thus blending with legitimate network traffic.
Alongside GhostSpider, the group employs a variety of complex malware tools designed to avoid detection for extended periods. Most notable are:
- SnappyBee/Deed RAT: A modular backdoor capable of data exfiltration, system manipulation and lateral movement.
- Masol RAT: A remote access tool used for targeting Linux systems that allowed threat actors to manipulate files and execute commands.
- Demodex: A rootkit used for kernel-level persistence, allowing attackers to remain undetected for long periods.
Recommendations
In response to these growing threats, several agencies have issued guidance for organisations to harden their infrastructure and defend against intrusions. Several important notes:
- Ensuring all systems are updated to address known flaws. Organisations should focus on securing public-facing systems to reduce the risk of exploitation.
- Using multi-factor authentication (MFA) to limit unauthorised access or implement phishing resistant FIDO keys.
- Implementing network segmentation and advanced monitoring to detect unusual activity.
- Employing behavioural analytics to identify anomalies indicative of compromise and monitor for any command-and-control communication to/from malicious domains.
- Secure VPN gateways by limiting external access.
- Implement Role-Based Access Control and periodically review accounts to verify if roles are still needed.
For more details on technical analysis:
https://www.trendmicro.com/en_us/research/24/k/earth-estries.html
https://www.sygnia.co/blog/ghost-emperor-demodex-rootkit/
https://securelist.com/ghostemperor-from-proxylogon-to-kernel-mode/104407/
Don’t forget to share this article
