- Chinese computer pirates found a unique way of attacking US companies
- The method remained largely hidden so far
- Computer pirates are mostly interested in espionage, experts claim
Chinese threat actors known as Panda Turbia are abusing those that trust companies have in their cloud suppliers to enter companies, steal sensitive files and maintain persistence for additional recognition and espionage.
Crowdstrike security researchers have revealed how, since 2023, they have seen at least two cases in which the murky panda exploded zero day failures to enter the cloud environment of SAAS suppliers.
After entering, they analyzed the logic of the cloud environment of their victim, “allowing them to take advantage of their software to move laterally to the clients downstream.”
Silk typhoon
So, in essence, this is a third -party cyber attack made through a cloud -based service provider. However, the method is unique and that makes it more successful compared to others, more widely informed:
“Due to the rarity of the activity, this initial access vector to the cloud of a victim remains relatively underground compared to the most prominent initial access vectors, such as valid cloud accounts and exploiting public guidance applications,” said Crowdstrike.
The researchers also said that the threat actor has been active since at least 2023, and that his techniques, tactics and procedures are quite similar to those of the Silk Typhoon, a group known sponsored by the Chinese state. Since the attribution is often complicated, the researchers suggest that this could be typhoon silk, an association group or an imitator.
Whoever, seems to be focused on cyberdispone and intelligence collection. Most of its objectives are found in government, technology, academia, legal and professional services, located mainly in North America.
By breaking into its initial objectives, the Turbia Panda is using different methods and tools. They were seen taking advantage of CVE-2023-3519, a known vulnerability that affects the instances of Citrix Netscaler ADC and Netscaler Gateway. This defect is at least two years old, and was also abused in the past by different ransomware actors.
In other cases, they were also compromising different devices of the small office/home office (Soho).
