As we well know, cyber threat campaigns do not stop and today we will see one that is in full swing, this threat takes advantage of Microsoft Exchange vulnerabilities to target high-profile victims with a set of advanced tools. Besides this according to Kaspersky this campaign did not have any similarities with any known threat actor until now but… Apparently GhostEmperor is a Chinese speaking threat actor which has mainly focused on targets in Southeast Asia.
GhostEmperor seems to know what it does, and it also stands out because it uses a previously unknown Windows kernel mode rootkit. Rootkits provide remote control access to the servers they target. Acting covertly, they are well known for hiding from researchers and security solutions and thus managing to avoid the Windows driver signature enforcement mechanism, GhostEmperor uses a loading scheme that involves a component of a code project open called “Cheat Engine”.
According to Kaspersky, GhostEmperor is a clear example of how cybercriminals are looking for new techniques to use and new vulnerabilities to exploit. And it is not surprising, we have seen many threats arise out of nowhere and now with Microsoft Exchange vulnerabilities many cybercriminal groups take advantage of these vulnerabilities since this is not the only threat that has attacked Microsoft Exchange vulnerabilities. This threat undoubtedly brought new problems to the already well-established trend of attacks against Microsoft Exchange servers.
The best we can do to avoid these threats is to prepare and stay informed, especially with the recent growth of vulnerabilities and attacks on Microsoft Exchange.
Other reads:
StrongPity infamous group of cybercriminals
Group NSO – A controversial company
[…] reads:GhostEmperor group that targets high profile usersCharming Kitten, A cunning criminal […]