Separating the Bee From the Panda: CeranaKeeper Making a Beeline for Thailand
Summary:
A new China-aligned threat actor, dubbed CeranaKeeper, has been identified targeting governmental institutions in Southeast Asia, primarily Thailand. The group has been active since at least early 2022 and is characterized by its relentless pursuit of data exfiltration. CeranaKeeper leverages a variety of techniques and tools, including custom backdoors, exfiltration tools, and the abuse of legitimate cloud and file-sharing services like DropBox and OneDrive, to achieve its objectives. The group's tactics demonstrate a high degree of sophistication and adaptability. It has been observed employing revamped versions of components previously attributed to the Mustang Panda APT group, as well as employing novel methods such as using GitHub's pull request and issue comment features to create a stealthy reverse shell. CeranaKeeper's ability to continuously update its tools and diversify its methods underscores its commitment to evading detection and maximizing its impact. Initial access vectors for this campaign have yet to be found. ESET suspects that brute-force attacks, utilized by CeranaKeeper during previous campaigns in the middle of 2023, are likely one of the initial access vectors.
Security Officer Comments:
The emergence of CeranaKeeper highlights the frequent cyberattacks by Chinese state-sponsored cyber actors targeting critical infrastructure and government entities in Southeast Asia. The group's relentless focus on data exfiltration underscores the importance of robust data protection measures and incident response capabilities for organizations operating in this region. Organizations should be vigilant for indicators of compromise associated with CeranaKeeper's activities, including the presence of the group's custom tools, unusual network traffic to cloud services, and suspicious activity related to GitHub repositories. The discrepancies discovered by ESET within the TTPs and code of this and similar previously-documented campaigns, lead ESET to believe it is prudent to establish that CeranaKeeper and MustangPanda are two separate China-aligned entities. CeranaKeeper’s intense focus on data exfiltration via popular services and similarities with other Chinese APTs underscores potential information and toolset sharing between Chinese groups.
Suggested Corrections:
CeranaKeeper IOCs are published on GitHub here.
Organizations can make APT groups’ lives more difficult. Here’s how:
https://www.welivesecurity.com/en/eset-research/separating-bee-panda-ceranakeeper-making-beeline-thailand/
PDF: https://web-assets.esetstatic.com/wls/en/papers/white-papers/ceranakeeper.pdf
A new China-aligned threat actor, dubbed CeranaKeeper, has been identified targeting governmental institutions in Southeast Asia, primarily Thailand. The group has been active since at least early 2022 and is characterized by its relentless pursuit of data exfiltration. CeranaKeeper leverages a variety of techniques and tools, including custom backdoors, exfiltration tools, and the abuse of legitimate cloud and file-sharing services like DropBox and OneDrive, to achieve its objectives. The group's tactics demonstrate a high degree of sophistication and adaptability. It has been observed employing revamped versions of components previously attributed to the Mustang Panda APT group, as well as employing novel methods such as using GitHub's pull request and issue comment features to create a stealthy reverse shell. CeranaKeeper's ability to continuously update its tools and diversify its methods underscores its commitment to evading detection and maximizing its impact. Initial access vectors for this campaign have yet to be found. ESET suspects that brute-force attacks, utilized by CeranaKeeper during previous campaigns in the middle of 2023, are likely one of the initial access vectors.
Security Officer Comments:
The emergence of CeranaKeeper highlights the frequent cyberattacks by Chinese state-sponsored cyber actors targeting critical infrastructure and government entities in Southeast Asia. The group's relentless focus on data exfiltration underscores the importance of robust data protection measures and incident response capabilities for organizations operating in this region. Organizations should be vigilant for indicators of compromise associated with CeranaKeeper's activities, including the presence of the group's custom tools, unusual network traffic to cloud services, and suspicious activity related to GitHub repositories. The discrepancies discovered by ESET within the TTPs and code of this and similar previously-documented campaigns, lead ESET to believe it is prudent to establish that CeranaKeeper and MustangPanda are two separate China-aligned entities. CeranaKeeper’s intense focus on data exfiltration via popular services and similarities with other Chinese APTs underscores potential information and toolset sharing between Chinese groups.
Suggested Corrections:
CeranaKeeper IOCs are published on GitHub here.
Organizations can make APT groups’ lives more difficult. Here’s how:
- Defense-in-depth strategy: A comprehensive defense-in-depth strategy is crucial to combat APTs. This includes implementing multiple layers of security controls, such as strong perimeter defenses, network segmentation, endpoint protection, intrusion detection systems, data encryption, access controls, and continuous monitoring for anomalies.
- Threat intelligence and sharing: Ideally, organizations should actively participate in threat intelligence sharing communities and collaborate with industry peers, government agencies, and security vendors. Sharing information about APTs and their techniques can help detect and mitigate attacks more effectively.
- Employee education and awareness: Regular security awareness programs, phishing simulations, and training sessions can educate employees about the latest threats, social engineering techniques, and safe computing practices.
- Incident response and recovery: Despite preventive measures, organizations should have a well-defined incident response plan. This includes incident detection, containment, eradication, and recovery procedures to minimize the impact of APT attacks and restore normal operations.
https://www.welivesecurity.com/en/eset-research/separating-bee-panda-ceranakeeper-making-beeline-thailand/
PDF: https://web-assets.esetstatic.com/wls/en/papers/white-papers/ceranakeeper.pdf