How much do you trust your cloud? Hackers exploit weakness to target customers - here's what we know

News
By published

Murky Panda uses zero-day flaws to target cloud-based service providers

An abstract image of a cloud raining data.
(Image credit: Pixabay)
  • Chinese hackers found a unique way to target US firms
  • The method remained largely hidden until now
  • Hackers are mostly interested in espionage, experts claim

Chinese threat actors known as Murky Panda are abusing the trust businesses have in their cloud providers to break into companies, steal sensitive files, and maintain persistence for additional reconnaissance and espionage.

Security researchers at Crowdstrike have revealed how, since 2023, they have seen at least two cases in which Murky Panda exploited zero-day flaws to break into SaaS providers’ cloud environment.

After breaking in, they analyzed their victim’s cloud environment logic, “enabling them to leverage their access to that software to move laterally to downstream customers.”

Silk Typhoon

So, in essence, this is a third-party cyberattack conducted through a cloud-based service provider. However, the method is unique, and that makes it more successful compared to others, more widely reported ones:

“Due to the activity’s rarity, this initial access vector to a victim's cloud environment remains relatively undermonitored compared to more prominent initial access vectors such as valid cloud accounts and exploiting public-facing applications,” Crowdstrike explained.

The researchers also said the threat actor has been active since at least 2023, and that its techniques, tactics, and procedures are quite similar to those of Silk Typhoon, a known Chinese state-sponsored group. Since attribution is often tricky, the researchers hint that this could be Silk Typhoon, a partnering group, or a copycat.

Whoever it is, it seems to be focused on cyber-espionage and intelligence-gathering. Most of its targets are in government, technology, academia, legal, and professional services, located primarily in North America.

When breaking into their initial targets, Murky Panda is using different methods and tools. They were seen leveraging CVE-2023-3519 - a known vulnerability affecting Citrix NetScaler ADC and NetScaler Gateway instances. This flaw is at least two years old, and was abused in the past by different ransomware actors, as well.

In other cases, they were seen compromising different small office/home office (SOHO) devices, too.

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.