Earth Lusca: The Chinese Threat Actor

 





Introduction

Earth Lusca is also known as AQUATIC PANDA, BRONZE UNIVERSITY, CHROMIUM, Charcoal Typhoon, ControlX, FISHMONGER, Red Dev 10, RedHotel, and TAG-22. It is a Chinese threat actor, that targets the organizations of interest to the Chinese government. 

So far, they have targeted academic institutions, telecommunication companies, religious organizations, and other civil society groups. Its tools closely resembles to those used by Winnti Umbrella. However, it seems the group operates separately. Earth Lusca has also started targeting the cryptocurrency payment platforms and cryptocurrency exchanges in its financially motivated attacks. 

How does Earth Lusca works?

The initial access is achieved via spear phishing and/or watering hole websites. They send emails containing malicious links to their targets. These links are laced with files disguised either as the documents of interest or as opinion forms allegedly coming from another organization. The victim ends up downloading the malicious link file or an executable (leading to a Cobalt Strike loader).

Earth Lusca also uses Watering Holes websites. They are either the compromised websites of a victim or a fake web page copied from a legitimate one, containing a malicious JavaScript code inside them. The links to these websites are sent to their victims. 

Protection

  • Owners of the network edge devices should ensure that management interfaces are not exposed to the public internet to reduce their attack surface.

  • Enforce strong multi-factor authentication (MFA) policies with the help of hardware security keys or Microsoft Authenticator. 

  • Reduce the attack surface by turning on the attack surface reduction rules to block or audit some observed activity associated with this threat.

  • Turn-on cloud-delivered protection in Microsoft Defender Antivirus to cover rapidly evolving attacker tools, techniques, and behaviors.

  • Run Endpoint Detection and Response (EDR) in block mode. In this way, Microsoft Defender for Endpoint can block malicious artifacts that are detected post-compromise.

Takeaway!

Earth Lusca is a highly skilled and dangerous threat actor motivated by financial gain and cyberespionage. However, it still relies on tried-and-true techniques to entrap a target. Hence, the security best practices can minimize and even stop the impact of an Earth Lusca attack. 

















































Comments

Popular posts from this blog

Deployment (Part 3)

Deployment (Part 1)

Project Resourcing (Part 2)