A unique long-standing operation, ‘GhostEmperor’, is using Microsoft Exchange vulnerabilities to target high-profile victims with an advanced toolset and no affinity to any known threat actor.
This was revealed by Kaspersky’s latest APT 2021 Report, which monitors how advanced persistent threat (APT) groups refresh and update their toolsets. The report noted an upswing of attacks against Microsoft Exchange servers in Q2.
GhostEmperor is a Chinese-speaking threat actor that was discovered by Kaspersky researchers, and focuses mainly on targets in Southeast Asia, including several governmental bodies and telecoms entities.
“This actor stands out because it uses a formerly unknown Windows kernel-mode rootkit,” the researchers explain.
Rootkits provide remote control access over the servers they target, and act covertly to slip through the security nets. To bypass the Windows Driver Signature Enforcement mechanism, GhostEmperor employs a loading scheme involving the component of an open-source project named 'Cheat Engine'.
No links to known threat actors
Kaspersky experts describe this advanced toolset as unique, finding no links to known threat actors. They surmise it has been employed since at least July last year.
David Emm, a security expert at Kaspersky, says APT actors evolve alongside detection and protection techniques, and typically refresh and update their toolsets.
“GhostEmperor is a clear example of how cyber criminals look for new techniques to use and new vulnerabilities to exploit. Using a previously unknown, sophisticated rootkit, they brought new problems to the already well-established trend of attacks against Microsoft Exchange servers,” he adds.
Leveraging exploits
Over and above the growth of attacks against Microsoft Exchange servers, Kaspersky experts also noted an increase in APT threat actors leveraging exploits to gain an initial foothold in attacked networks, including the zero-days developed by the exploit developer ‘Moses’ and those used in the PuzzleMaker, Pulse Secure attacks, and the Microsoft Exchange server vulnerabilities.
According to Emm, APT actors continue to invest in refreshing their toolsets to not onlyinclude new platforms but additional languages too, as seen by WildPressure’s macOS-supported Python malware.
“While some of the supply-chain attacks were major and have attracted worldwide attention, Kaspersky experts also observed equally successful low-tech attacks, such as BountyGlad, CoughingDown, and the attack targeting Codecov, which signaled that low-key campaigns still represent a significant threat to security.”
Share