Researchers at Kaspersky have found a campaign run by a Chinese-speaking threat group targeting flaws in Microsoft Exchange servers. The group has been named GhostEmperor and attacks are being carried out against high-profile victims located in Southeast Asia. GhostEmperor used a loading scheme that relies on a component of the Cheat Engine open-source project, which allows it to bypass the Windows Driver Signature Enforcement mechanism. According to Kaspersky, “The group stands out because it uses a formerly unknown Windows kernel-mode rootkit. Rootkits provide remote control access over the servers they target. Acting covertly, rootkits are notorious for hiding from investigators and security solutions. To bypass the Windows Driver Signature Enforcement mechanism, GhostEmperor uses a loading scheme involving a component of an open-source project named “Cheat Engine.”
Many threat groups have targeted Microsoft Exchange vulnerabilities over the past year, but this group does not appear to have any overlap with any other attacks that have occurred. Companies should be vigilant in testing and installing patches within their organizations to attempt threat actors from exploiting known vulnerabilities. Monitoring should also be in place such, as Binary Defense Managed Detection and Response which can identify and mitigate attacks quickly.
More can be read here: https://securityaffairs.co/wordpress/120721/apt/ghostemperor-chinese-speaking-threat-actor.html?utm_source=feedly&utm_medium=rss&utm_campaign=ghostemperor-chinese-speaking-threat-actor