HURRICANE PANDA  (Back to overview)

We have investigated their intrusions since 2013 and have been battling them nonstop over the last year at several large telecommunications and technology companies. The determination of this China-based adversary is truly impressive: they are like a dog with a bone. HURRICANE PANDA's preferred initial vector of compromise and persistence is a China Chopper webshell – a tiny and easily obfuscated 70 byte text file that consists of an ‘eval()’ command, which is then used to provide full command execution and file upload/download capabilities to the attackers. This script is typically uploaded to a web server via a SQL injection or WebDAV vulnerability, which is often trivial to uncover in a company with a large external web presence. Once inside, the adversary immediately moves on to execution of a credential theft tool such as Mimikatz (repacked to avoid AV detection). If they are lucky to have caught an administrator who might be logged into that web server at the time, they will have gained domain administrator credentials and can now roam your network at will via ‘net use’ and ‘wmic’ commands executed through the webshell terminal.

---

Associated Families

There are currently no families associated with this actor.

---

References

2019-02-06 ⋅ Recorded Future ⋅ Insikt Group, Rapid7 @techreport{group:20190206:apt10:74d18e7, author = {Insikt Group and Rapid7}, title = {{APT10 Targeted Norwegian MSP and US Companies in Sustained Campaign}}, date = {2019-02-06}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2019-0206.pdf}, language = {English}, urldate = {2019-12-17} } APT10 Targeted Norwegian MSP and US Companies in Sustained Campaign Trochilus RAT APT31 HURRICANE PANDA

2018-03-05 ⋅ Confiant ⋅ Jerome Dangu @online{dangu:20180305:zirconium:06d9e29, author = {Jerome Dangu}, title = {{Zirconium was one step ahead of Chrome’s redirect blocker with 0-day}}, date = {2018-03-05}, organization = {Confiant}, url = {https://blog.confiant.com/zirconium-was-one-step-ahead-of-chromes-redirect-blocker-with-0-day-2d61802efd0d}, language = {English}, urldate = {2020-01-09} } Zirconium was one step ahead of Chrome’s redirect blocker with 0-day HURRICANE PANDA

2018-01-23 ⋅ Confiant ⋅ Jerome Dangu @online{dangu:20180123:uncovering:a3ba605, author = {Jerome Dangu}, title = {{Uncovering 2017’s Largest Malvertising Operation}}, date = {2018-01-23}, organization = {Confiant}, url = {https://blog.confiant.com/uncovering-2017s-largest-malvertising-operation-b84cd38d6b85}, language = {English}, urldate = {2019-12-24} } Uncovering 2017’s Largest Malvertising Operation HURRICANE PANDA

2015-04-13 ⋅ CrowdStrike ⋅ Dmitri Alperovitch @online{alperovitch:20150413:cyber:93796f8, author = {Dmitri Alperovitch}, title = {{Cyber Deterrence in Action? A story of one long HURRICANE PANDA campaign}}, date = {2015-04-13}, organization = {CrowdStrike}, url = {http://www.crowdstrike.com/blog/cyber-deterrence-in-action-a-story-of-one-long-hurricane-panda-campaign/}, language = {English}, urldate = {2019-12-20} } Cyber Deterrence in Action? A story of one long HURRICANE PANDA campaign HURRICANE PANDA

2015-04-13 ⋅ CrowdStrike ⋅ Dmitri Alperovitch @online{alperovitch:20150413:cyber:9cee61c, author = {Dmitri Alperovitch}, title = {{Cyber Deterrence in Action? A story of one long HURRICANE PANDA campaign}}, date = {2015-04-13}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/cyber-deterrence-in-action-a-story-of-one-long-hurricane-panda-campaign/}, language = {English}, urldate = {2020-06-03} } Cyber Deterrence in Action? A story of one long HURRICANE PANDA campaign HURRICANE PANDA

2015-01-26 ⋅ CrowdStrike ⋅ Andy Schworer, Josh Liburdi @online{schworer:20150126:storm:a33ffb9, author = {Andy Schworer and Josh Liburdi}, title = {{Storm Chasing: Hunting Hurricane Panda}}, date = {2015-01-26}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/storm-chasing/}, language = {English}, urldate = {2020-06-03} } Storm Chasing: Hunting Hurricane Panda HURRICANE PANDA

2014-10-14 ⋅ CrowdStrike ⋅ Dmitri Alperovitch @online{alperovitch:20141014:crowdstrike:9be6684, author = {Dmitri Alperovitch}, title = {{CrowdStrike Discovers Use of 64-bit Zero-Day Privilege Escalation Exploit (CVE-2014-4113) by Hurricane Panda}}, date = {2014-10-14}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/}, language = {English}, urldate = {2020-06-03} } CrowdStrike Discovers Use of 64-bit Zero-Day Privilege Escalation Exploit (CVE-2014-4113) by Hurricane Panda HURRICANE PANDA

---

Credits: MISP Project