Mustang Panda [1] [2] [3] [4] [5] [6], a China-linked APT group also known as Stately Taurus and RedDelta, has been targeting government entities [5], religious organizations [5], and NGOs in Europe and Asia since at least 2012.
Description
Researchers recently discovered that Mustang Panda is using Visual Studio Code (VSCode) to launch attacks [1], exploiting its embedded reverse shell feature to gain discreet access to target networks. This technique [1] [2] [4] [5], first identified in 2023, allows the threat actor to execute commands, transfer files [1], and maintain persistence on the target machine [1]. By leveraging VSCode’s tunnel feature [4], attackers can remotely control infected machines and exfiltrate sensitive data [4]. The latest attack sequence involves the abuse of VSCode to deliver additional payloads and potentially collaborate with other threat actors using the ShadowPad backdoor in the same targeted environment. Mustang Panda has also utilized OpenSSH for reconnaissance and spreading malware [4], including the ShadowPad backdoor [4] [5]. This method has enabled Mustang Panda to access sensitive government data [1], evade traditional detection methods [1], and blend malicious activity with legitimate traffic [1].
Conclusion
This incident underscores the importance for organizations to enhance their cybersecurity measures and remain vigilant against evolving threats [3], especially in Southeast Asia where government entities are at heightened risk. It is crucial for organizations to implement robust security defenses, conduct regular security assessments [3], and enhance employee awareness to mitigate the risk of falling victim to such sophisticated attacks [3]. Collaboration with industry experts and staying informed about the latest threat intelligence are essential in fortifying defenses against cyber threats [3].
References
[1] https://cyberrisks.ai/chinese-apt-exploits-visual-studio-code-to-target-southeast-asian-governments/
[2] https://thehackernews.com/2024/09/chinese-hackers-exploit-visual-studio.html
[3] https://www.krofeksecurity.com/bolster-your-cybersecurity-defending-against-chinese-hackers-exploiting-visual-studio-code/
[4] https://thereviewhive.blog/7-recent-data-breaches-and-malware-attacks-you-should-know-about/
[5] https://unit42.paloaltonetworks.com/stately-taurus-abuses-vscode-southeast-asian-espionage/
[6] https://www.linkedin.com/posts/wdevault_blind-eagle-targets-colombian-insurance-sector-activity-7238902199072759808-Q9VA