Chinese Earth Krahang Hackers Breach 70 Orgs in 23 Countries

Trend Micro has released details surrounding a campaign that has been ongoing since early 2022. The campaign has been attributed to a Chinese APT group dubbed ‘Earth Krahang,’ who according to researchers has breached 70 organizations and targeted at least 116 entities across 45 countries since initiating operations. This group primarily goes after government organizations, with Trend Microsoft noting that the group has compromised 48 government organizations, 10 of which are Foreign Affairs ministries. To help organizations fend off potential attacks from Earth Krahang, Trend Micro has highlighted the various TTPs employed by this group as well as relevant IOCs, which can be accessed using the link below:

Analyst Comments:
Taking a look at the attack chain employed by this group, Earth Krahang gains initial access to victim environments via two main methods - exploiting public-facing servers for vulnerabilities (CVE-2023-32315 (Openfire) and CVE-2022-21587 (Control Web Panel)) and launching targeting spear-phishing emails that use geopolitical themes to trick victims into opening attachments or links.

Once the actors gain an initial foothold, they will perform various operations including using the breached infrastructure to host malicious payloads such as webshells and backdoor files for persistent access. Notably, Earth Krahang is known for using compromised government email accounts to target individuals within the same organization or other government entities with further spear-phishing emails. In one case observed by Trend Micro, the actors were observed using a compromised mailbox from a government entity to send a malicious attachment to 796 email addresses belonging to the same entity.

Another tactic highlighted by researchers is that this group of actors will build VPN servers on compromised public-facing servers using a software called SoftEtherVPN. Doing so enables the actors to establish a secure connection to the private networks of their victims and further move laterally to compromise more systems and resources.

Given that cyber-espionage seems to be the main motive behind Earth Krahang, the group will also deploy malware and tools like Cobalt Strike, RESHELL, and XDealer, which can be used by the actors for command execution and data collection purposes.

Suggested Corrections:
Organizations should regularly apply patches and updates to prevent actors like Earth Krahang from exploiting known vulnerabilities (CVE-2023-32315, CVE-2022-21587) for initial access. Network segmentation is also crucial as isolating public-facing servers from internal systems will limit the attack surface and overall impact. Given that spear-phishing seems to be commonly employed by Earth Krahang, it is important that organizations train employees on different phishing techniques. Regular, tabletop exercises can help spread awareness and enable employees to detect and deter potential phishing attacks. Earth Krahang is also known for using brute force to gain access to Outlook accounts and servers. Using strong passwords and employing multi-factor authentication can help defend against such methods.