China-linked threat actor Sharp Panda, previously known as Sharp Dragon, has shed its skin. Gone are the days of Southeast Asian targets; a new era of global espionage has begun. This shadowy group is quietly expanding its reach, setting its sights on high-profile government entities in Africa and the Caribbean.
But how are they pulling it off?
Sharp Dragon has become a master of disguise. They've ditched their custom tools for a seemingly innocuous weapon: Cobalt Strike. This legitimate adversary simulation framework, used by security professionals to test defenses, is now a wolf in sheep's clothing.
Why the switch? It's all about stealth. By leveraging a familiar tool, Sharp Dragon blends into the background, making it harder for defenders todetect their malicious activity. Think of it as a hacker slipping into a network wearing a security guard uniform.
But Sharp Dragon isn't a one-trick pony. Their arsenal includes a mix of custom tools like VictoryDLL and Soul, alongside exploiting unpatched vulnerabilities to gain initial access. Their tactics are further bolstered by ORB networks, a web of compromised devices scattered across the globe. These networks allow them to mask their true location and launch attacks from seemingly trusted sources.
The targets? Telecom, finance, and government agencies – all critical sectors
So, what can you do to protect yourself?
- Patch early, patch often: Don't let known vulnerabilities be your downfall.
- Inventory is key: Keep track of all your devices, especially those nearing the end of their lifespan, to minimize the risk of them being used in ORB networks.
- Watch your network: Monitor for suspicious activity and indicators of compromise associated with Cobalt Strike and ORB networks.
- Deception is your friend: Deploy deception technologies to lure attackers out of hiding and give your threat hunters a fighting chance.
- Leave no stone unturned: Maintain comprehensive logging and monitoring to detect and respond to any suspicious activity.