A technical brief providing an in-depth look at a new threat group linked to China, dubbed “Earth Lusca” activities, tools employed in attacks, and the infrastructure it used have been disclosed by researchers. Since mid-2021, the researchers have been investigating Earth Lusca involved in carrying out traditional social engineering campaigns across the globe. According to researchers, the primary motive appeared to be cyber espionage since its victims included high-value targets, however, the threat actor groups also seemed to be financially motivated due to attacks on gambling and cryptocurrency organizations. Researchers monitoring multiple operations from Earth Lusca yielded information including the following targets however more industries or countries may have been targeted:
Previous research from different reports has attributed this group’s activity to other threat actor groups including APT41, Earth Baku, Sparkling Goblin, and the “Winnti” cluster due to the use of overlapping malware. However, current researchers reveal different TTPs and independent sets of infrastructure that forced researchers to keep it as a separate threat actor group from other known groups. Notably, other reports track Earth Lusca as “TAG-22” or “Fishmonger.”
Based on the operations, researchers have categorized the infrastructure used by Earth Lusca into two clusters:
First Cluster: Built using virtual private servers that are rented from a service provider called Vultr and used for carrying out the watering hole and spear-phishing operations alongside acts as a command-&-control server.
Second Cluster: Made up of compromised servers running old, open-source versions of Oracle GlassFish Server. It acts as a scanner searching for vulnerabilities in public-facing servers, builds traffic tunnels within targeted networks, and also acts as a command-&-control server for Cobalt Strike.
According to researchers Earth Lusca used three primary attack vectors including spear-phishing, watering hole attacks, and exploiting known vulnerabilities in products. Once gaining entry, the threat actor group used one of many malware listed below to further their activities:
As per researchers, the vulnerability exists due to a simple flaw where all three plug-ins register the save_settings function which is initiated via a wp_ajax A nonce check on this function is missing which means that there is no validation on the integrity of who was conducting the request. This makes it possible for an attacker to craft a request that triggers the AJAX action and execute the function.
Researchers also highlight that “Though this Cross-Site Request Forgery (CSRF) vulnerability is less likely to be exploited due to the fact that it requires administrator interaction, it can have a significant impact to a successfully exploited site and, as such, it serves as an incredibly important reminder to remain aware when clicking on links or attachments and to ensure that you are regularly keeping your plugins and themes up to date.”
Apart from social engineering, the threat actor group also targets public-facing servers through the exploitation of known vulnerabilities in servers that are running out-of-date versions of applications. Earth Lusca also used vulnerability scanning tools to discover possible vulnerabilities inside the websites of the targeted victim. The infection vectors used by the group show the importance of applying security best practices such as proper vetting of emails and websites being visited, as well as constantly updating software to their latest security iterations to minimize the chances of vulnerability exploitation.
In a recent report, researchers highlight Linux-targeted malware increases by 35% in 2021 compared to 2020. The XorDDoS, Mirai, and Mozi were among the top three most prevalent malware families that collectively accounted for over 22% of threats to Linux-based observed in 2021 by researchers. The Mozi malware in particular saw ten times in the wild in 2021 compared to 2020. The prime purpose of these malware families is to infect the vulnerable internet-connected device, recruit them into a botnet and then leverage them to perform DDoS attacks.
XorDDoS with 123% increase in malware samples: A Linux trojan that is aimed at multiple Linux architectures including ARM, x86, x64. The trojan is known to perform SSH brute-forcing attacks on vulnerable systems to secure remote access. Some of the XorDDoS variants observed by researchers scan and search for Docker servers with the open port 2375 which offers an unencrypted Docker socket and remote root passwordless to a vulnerable host.
Mozi registered 10 times increase: A peer-to-peer (P2P) botnet network that utilizes its own implementation of extended DHT (Distributed Hash Table). DHT provides a distributed and decentralized lookup mechanism that allows Mozi to hide its command-&-control(C2) traffic behind a legitimate DHT traffic. The use of extended DHT makes detecting C2 communication difficult. To infect systems, Mozi also uses brute force attacks on SSH and Telnet ports. The malware then blocks this port to prevent other threat actors or malware from abusing.
Mirai: The popular Mirai malware, similar to Mozi also target weak protocols and password such as Telnet to infect devices leveraging brute force attack. Since the leak of Mirai’s source code multiple Mirai variants have emerged. Some of the most prevalent Mirai variants observed by researchers included Sora, IZIH9, and Rekai having 33%, 39%, and 83% increase in samples respectively in 2021 as compared to 2020.
An estimated 90% of could infrastructure runs on Linux which essentially makes it the backbone of cloud and hybrid cloud workflows. It is also a driving factor in mobile and IoT devices. Its popularity can be attributed to its scalable, flexible, efficient, and wide range of distribution features that support a multitude of hardware and greater performance benefits. With Linux at the heart of the cloud, mobile and IoT infrastructure also mean a greater opportunity for threat actors.
A projected more than 30 IoT million devices are to be connected by the end of 2025 which creates a massive attack surface for cybercriminals looking into creating botnets. Build for only essential purpose and connectivity in mind, IoT devices are known to be vulnerable that often lack security controls. For example, a system with hardcoded or weak credentials, unnecessary open ports, or unpatched vulnerabilities is low-hanging fruit for attackers.
Wordfence researchers have disclosed a single high-severity vulnerability affecting three different WordPress plugins that may impact over 84,000 websites and could be leveraged by attackers to compromise these vulnerable websites. The Wordfence Threat Intelligence researchers as part of responsible disclosure initially discovered the vulnerability in the “Login/Signup Popup” WordPress plugin – installed on over 20,000 websites. After a few days, the researchers found the same vulnerability affecting two additional plugins by the same developer: “Side Cart Woocommerce (Ajax)” – installed on over 60,000 websites, and “Waitlist Woocommerce (Back in stock notifier)” – installed on over 4,000 websites. According to researchers the flaw cloud enables an attacker to update arbitrary site options on a vulnerable site, provided they could trick a site’s administrator into performing an action, such as clicking on a link.
As per researchers, the vulnerability exists due to a simple flaw where all three plug-ins register the save_settings function which is initiated via a wp_ajax A nonce check on this function is missing which means that there is no validation on the integrity of who was conducting the request. This makes it possible for an attacker to craft a request that triggers the AJAX action and execute the function.
Researchers also highlight that “Though this Cross-Site Request Forgery (CSRF) vulnerability is less likely to be exploited due to the fact that it requires administrator interaction, it can have a significant impact to a successfully exploited site and, as such, it serves as an incredibly important reminder to remain aware when clicking on links or attachments and to ensure that you are regularly keeping your plugins and themes up to date.”
