China-Linked Hackers Target SAP and SQL Server Vulnerabilities in Asia and Brazil

Published:

spot_img

Rising Cyber Threats: The Impact of Earth Lamia on Businesses Worldwide

In recent months, an alarming trend has emerged from the cyber landscape involving a China-linked threat actor known as Earth Lamia. This group has been increasingly exploiting a critical vulnerability in SAP NetWeaver, resulting in targeted attacks on organizations primarily located in Brazil, India, and Southeast Asia since 2023.

Understanding the Threat Actor: Earth Lamia

Trend Micro’s security researchers, including expert Joseph C. Chen, have analyzed the tactics employed by Earth Lamia. The group is particularly adept at leveraging SQL injection vulnerabilities in web applications, which allow them to gain access to targeted organizations’ SQL servers. They also exploit a variety of known vulnerabilities to take control of publicly accessible servers, increasing their attack surface across various sectors.

Recent reports indicate that their focus has expanded beyond just financial institutions to include sectors like logistics, online retail, IT companies, universities, and even government organizations. This evolving focus makes the urgency for robust cybersecurity measures more critical than ever.

Target Range: A Global Concern

Earth Lamia’s activities aren’t confined to specific regions but span multiple countries in South Asia, often targeting Indonesia, Malaysia, the Philippines, Thailand, and Vietnam. These operations frequently exploit internet-exposed Microsoft SQL Servers to gather reconnaissance, deploy post-exploitation tools, and create proxy tunnels into victim networks.

The tactics used by this group are notably sophisticated. They don’t just conduct straightforward attacks; they utilize various tools for privilege escalation, network scanning, and log cleaning. Tools such as GodPotato and JuicyPotato help them gain elevated rights, while Fscan and Kscan assist in assessing network vulnerabilities. They even employ legitimate Windows tools to erase traces of their malicious activities.

Alarmingly Effective Ransomware Tactics

One particularly troubling aspect of Earth Lamia’s operations is their use of Mimic ransomware. Although attempts to deploy this ransomware against Indian entities have mostly been thwarted, the mere staging of ransomware binaries raises concerns about their future capabilities. An analysis from August 2024 indicated that while the group attempted to execute this ransomware, they often deleted these binaries after deployment, suggesting a trial-and-error approach to refining their methods.

Exploiting Vulnerabilities: A Technical Overview

Recent findings by EclecticIQ highlighted that Earth Lamia is among several cyber espionage groups taking advantage of CVE-2025-31324, a serious unauthenticated file upload vulnerability in SAP NetWeaver. This exploitation allows them to establish a reverse shell to infrastructure they control. In addition to this vulnerability, reports indicate that the group has weaponized up to eight different vulnerabilities to compromise various public-facing servers.

Trend Micro noted the group’s impressive adaptability and ongoing activity, which underscores their status as a "highly active" threat. Once primarily focused on the financial sector, Earth Lamia has successfully turned its attention towards logistics and online retail, showcasing their ability to shift strategies quickly to capitalize on new targets.

Custom Backdoors and Malware Development

One of the more concerning strategies employed by Earth Lamia involves the use of custom backdoors, notably one named PULSEPACK. This modular .NET implant operates by side-loading dynamic-link libraries (DLLs), a method frequently associated with Chinese hacking groups. PULSEPACK efficiently communicates with a remote server to download various plugins, enabling it to adapt its functionality based on the target environment.

Recently, Trend Micro observed updates to this backdoor, altering its command-and-control communication from TCP to WebSocket. This evolution in their malware reflects ongoing development efforts and the group’s commitment to refining their attack strategies.

Conclusion: A Call for Vigilance

The coordinated efforts of Earth Lamia across multiple industries highlight the increasing complexity and danger posed by modern cyber threats. With the constant evolution of their tactics and tools, businesses must prioritize cybersecurity and implement robust defenses to protect their data and infrastructure. The activities of groups like Earth Lamia serve as a stark reminder of the ever-present risks in today’s interconnected digital world.

For organizations looking to stay ahead of such threats, investing in comprehensive cybersecurity strategies and staying informed about emerging vulnerabilities is essential in this battle against cybercrime.

spot_img

Related articles

Recent articles

Archetyp Dark Web Market Shut Down; Administrator Arrested in Spain

Major Takedown of Archetyp Market: A Blow to Dark Web Drug Trade Overview of Operation Deep Sentinel European law enforcement agencies have successfully dismantled Archetyp Market,...

Critical Linux Vulnerabilities Allow Full Root Access Through PAM and Udisks in Key Distributions

Serious Vulnerabilities Found in Linux PAM: What You Need to Know Cybersecurity researchers have identified significant local privilege escalation (LPE) vulnerabilities that pose a serious...

Unlocking Dubai Real Estate: Buy Property for Just $545 Through Tokenization

Understanding Dubai's Real Estate Tokenization: A Revolutionary Approach Dubai is making waves in the real estate market with a transformative initiative that involves turning property...

APT29 Targets Gmail: Bypassing 2FA through Exploited App Passwords in Phishing Scheme

New Tactics in Cybersecurity Threats: Understanding the App Password Exploit Recent Developments in Cyber Threats In a concerning new trend, cybercriminals with suspected ties to Russia...