Rising Cyber Threats: The Impact of Earth Lamia on Businesses Worldwide
In recent months, an alarming trend has emerged from the cyber landscape involving a China-linked threat actor known as Earth Lamia. This group has been increasingly exploiting a critical vulnerability in SAP NetWeaver, resulting in targeted attacks on organizations primarily located in Brazil, India, and Southeast Asia since 2023.
Understanding the Threat Actor: Earth Lamia
Trend Micro’s security researchers, including expert Joseph C. Chen, have analyzed the tactics employed by Earth Lamia. The group is particularly adept at leveraging SQL injection vulnerabilities in web applications, which allow them to gain access to targeted organizations’ SQL servers. They also exploit a variety of known vulnerabilities to take control of publicly accessible servers, increasing their attack surface across various sectors.
Recent reports indicate that their focus has expanded beyond just financial institutions to include sectors like logistics, online retail, IT companies, universities, and even government organizations. This evolving focus makes the urgency for robust cybersecurity measures more critical than ever.
Target Range: A Global Concern
Earth Lamia’s activities aren’t confined to specific regions but span multiple countries in South Asia, often targeting Indonesia, Malaysia, the Philippines, Thailand, and Vietnam. These operations frequently exploit internet-exposed Microsoft SQL Servers to gather reconnaissance, deploy post-exploitation tools, and create proxy tunnels into victim networks.
The tactics used by this group are notably sophisticated. They don’t just conduct straightforward attacks; they utilize various tools for privilege escalation, network scanning, and log cleaning. Tools such as GodPotato and JuicyPotato help them gain elevated rights, while Fscan and Kscan assist in assessing network vulnerabilities. They even employ legitimate Windows tools to erase traces of their malicious activities.
Alarmingly Effective Ransomware Tactics
One particularly troubling aspect of Earth Lamia’s operations is their use of Mimic ransomware. Although attempts to deploy this ransomware against Indian entities have mostly been thwarted, the mere staging of ransomware binaries raises concerns about their future capabilities. An analysis from August 2024 indicated that while the group attempted to execute this ransomware, they often deleted these binaries after deployment, suggesting a trial-and-error approach to refining their methods.
Exploiting Vulnerabilities: A Technical Overview
Recent findings by EclecticIQ highlighted that Earth Lamia is among several cyber espionage groups taking advantage of CVE-2025-31324, a serious unauthenticated file upload vulnerability in SAP NetWeaver. This exploitation allows them to establish a reverse shell to infrastructure they control. In addition to this vulnerability, reports indicate that the group has weaponized up to eight different vulnerabilities to compromise various public-facing servers.
Trend Micro noted the group’s impressive adaptability and ongoing activity, which underscores their status as a "highly active" threat. Once primarily focused on the financial sector, Earth Lamia has successfully turned its attention towards logistics and online retail, showcasing their ability to shift strategies quickly to capitalize on new targets.
Custom Backdoors and Malware Development
One of the more concerning strategies employed by Earth Lamia involves the use of custom backdoors, notably one named PULSEPACK. This modular .NET implant operates by side-loading dynamic-link libraries (DLLs), a method frequently associated with Chinese hacking groups. PULSEPACK efficiently communicates with a remote server to download various plugins, enabling it to adapt its functionality based on the target environment.
Recently, Trend Micro observed updates to this backdoor, altering its command-and-control communication from TCP to WebSocket. This evolution in their malware reflects ongoing development efforts and the group’s commitment to refining their attack strategies.
Conclusion: A Call for Vigilance
The coordinated efforts of Earth Lamia across multiple industries highlight the increasing complexity and danger posed by modern cyber threats. With the constant evolution of their tactics and tools, businesses must prioritize cybersecurity and implement robust defenses to protect their data and infrastructure. The activities of groups like Earth Lamia serve as a stark reminder of the ever-present risks in today’s interconnected digital world.
For organizations looking to stay ahead of such threats, investing in comprehensive cybersecurity strategies and staying informed about emerging vulnerabilities is essential in this battle against cybercrime.
