Hunting the Emperor – Engage Game of Emperor

Earth Estries exploited vulnerabilities in public-facing servers, such as CVE-2023-46805 and CVE-2024-21887 in Ivanti Connect Secure VPN, and CVE-2022-3236 in Sophos Firewall, to gain initial access. They then used web shells like GHOSTSPIDER and SNAPPYBEE for persistence and command and control, allowing them to maintain long-term access to the victim’s network.

Subject: Hunting the Emperor – Engage Game of Emperor

Tactics: TA0011 Command and Control, TA0001 Initial Access, TA0003 Persistence

Technique: T1190 Exploit Public-Facing Application, T1133 External Remote Services, T1505.003 Server Software Component: Web Shell

Procedure:

Earth Estries exploited vulnerabilities in public-facing servers, such as CVE-2023-46805 and CVE-2024-21887 in Ivanti Connect Secure VPN, and CVE-2022-3236 in Sophos Firewall, to gain initial access. They then used web shells like GHOSTSPIDER and SNAPPYBEE for persistence and command and control, allowing them to maintain long-term access to the victim’s network.

Vulnerability: EAV0004 When adversaries use phishing emails to gain access to victim systems, they have no control over where a malicious attachment is detonated from, or where a link is clicked., EAV0005 When adversaries’ malware is detonated, they may be encouraged to operate in an unintended environment.

Engagement Opportunity:

Deploy honeypots mimicking vulnerable public-facing servers to attract and engage with Earth Estries. Monitor their activities within the honeypot to gather intelligence on their TTPs, tools, and infrastructure. This can help develop more effective defensive strategies and potentially identify and block their attacks in real-time.

Threat Actor: Earth Estries (aka Salt Typhoon, FamousSparrow, GhostEmperor, and UNC2286) – a suspected Chinese APT group.

Threat Objective:

Cyber espionage, primarily targeting government and telecommunication entities in the US, Asia-Pacific, Middle East, and South Africa.

Deception Opportunity:

Plant decoy documents and files related to government and telecommunication sectors within the network to deceive Earth Estries and distract them from real sensitive data. Monitor their interaction with the decoy data to gather intelligence and understand their intelligence priorities.

Sensor Data Placement: Application

Observable Level: Core to Adversary-Brought Tool

Scoring Rationale:

Detection of web shells like GHOSTSPIDER and SNAPPYBEE relies on identifying specific characteristics and behaviors, which are core to the adversary’s tools. Exploiting vulnerabilities depends on the specific implementation of the technique, as different vulnerabilities may be present in different systems.

  • Sensor Data Placement: Application, User-Mode
  • Observable Level: Core to Adversary-Brought Tool (for web shell detection), Core to Some Implementations of (Sub-)Technique (for exploitation of specific vulnerabilities)

Link to Report: https://www.trendmicro.com/en_us/research/24/k/earth-estries.html

Link to Report II.:

Additional Comments:

Earth Estries demonstrates a high level of sophistication and organization, employing advanced techniques and a complex C&C infrastructure. Their TTPs often overlap with those of other known Chinese APT groups, indicating potential use of shared tools and resources. Continued monitoring and analysis of their activities are crucial for effective defense.

Possible elements:

MSG (Pseudocode):

# Malicious Sub-Graph Standard

# Node Format:
# [Node ID]: [Tactic] - [Technique] - [Procedure] ([Observable Level])

# Edge Format:
# [Source Node ID] --> [Destination Node ID] ([Exploited Vulnerability])

# Earth Estries Attack Graph

[1]: Initial Access - Exploit Public-Facing Application (T1190) - Exploit vulnerabilities in Ivanti Connect Secure VPN (CVE-2023-46805, CVE-2024-21887) (Core to Some Implementations of (Sub-)Technique)
[2]: Persistence - Web Shell (T1505.003) - Deploy GHOSTSPIDER web shell (Core to Adversary-Brought Tool)
[3]: Command and Control - Application Layer Protocol: HTTPS (T1071.001) - Communicate with C2 server using HTTPS (Core to Adversary-Brought Tool)
[4]: Persistence - Web Shell (T1505.003) - Deploy SNAPPYBEE web shell (Core to Adversary-Brought Tool)
[5]: Command and Control - Application Layer Protocol: HTTPS (T1071.001) - Communicate with C2 server using HTTPS (Core to Adversary-Brought Tool)

1 --> 2 (Unpatched and Outdated Software)
2 --> 3 (Lack of Network Monitoring)
1 --> 4 (Unpatched and Outdated Software)
4 --> 5 (Lack of Network Monitoring)

# Pseudocode Standard

# Function Format:
# function [Tactic]_[Technique]([Input]):
# [Procedure]
# return [Output]

# Earth Estries Pseudocode

function Initial_Access_Exploit_Public-Facing_Application_T1190(target_server):
# Identify vulnerable public-facing servers (e.g., Ivanti Connect Secure VPN)
# Exploit vulnerability to gain initial access
return web_shell_payload

function Persistence_Web_Shell_T1505_003(web_shell_payload):
# Deploy GHOSTSPIDER or SNAPPYBEE web shell on compromised server
return C2_communication_module

function Command_and_Control_Application_Layer_Protocol_T1071_001(C2_communication_module):
# Establish HTTPS connection with C2 server
# Receive commands and maintain persistence
return success

Leave a Reply