Dell Secureworks has uncovered a Chinese advanced persistent threat (APT) group that has set scores of traps across the world to pilfer data from some big targets.
The group, known as Emissary Panda or Threat Group 3390 (TG-3390), has placed over 100 of the so-called 'traps' and has already gone after defence firms in the UK and US as well as the Russian Embassy in Washington D.C.
Using strategic web compromises (SWCs) to get inside organisations, victims are taken under its spell when they visit websites related to the business they are involved with. The hackers only go after victims that have "access to desirable data" and to do so code on the site exploits vulnerabilities on the victim's computer before installing a key logger and backdoor on Microsoft Exchange servers to take control.
Older vulnerabilities are being relied upon by the group such as those affecting Java (CVE-2011-3544) and JBoss (CVE-2010-0738). There is, however, no suggestion that zero-day exploits are being used and a couple of tools being deployed by TG-3390 are OwaAuth and ASPXTool.
OwaAuth is a web shell and credential thief used to attack Exchange Servers whilst ASPXTool is a modified ASPXSpy web shell used on accessible servers running Internet Information Services, according to V3. The group have also used a range of other tools including PlugX and HttpBrowser.
How to remove it
In addition to targeting victims when they visit websites, TG-3390 is using spearfishing emails when attempting to extract information from very specific targets. Otherwise the targets are a lot more general and are ranked in importance depending on the organisation.
Organisations can put an end to any data breaches carried out by the APT group by removing all access points including remote access tools, although attackers will attempt to return once again even if they have been removed.