Chinese Hackers Use CloudScout Toolset to Steal Session Cookies from Cloud Services

Chinese Hackers Use CloudScout Toolset to Steal Session Cookies from Cloud Services

October 28, 2024 at 01:45PM

Evasive Panda, a China-linked cyber espionage group, launched a new toolset, CloudScout, targeting Taiwanese government and religious organizations. This .NET-based malware extracts data from cloud services by hijacking authenticated sessions using stolen cookies. ESET noted the malware’s modular design includes specific functions for accessing Google Drive, Gmail, and Outlook.

### Meeting Takeaways: Cybersecurity Update on Evasive Panda and CloudScout

**Date:** October 28, 2024
**Presenter:** Ravie Lakshmanan
**Focus:** Cloud Security / Cyber Attack

#### Key Insights:
1. **Threat Actor:** Evasive Panda, linked to China, is a cyber espionage group also identified as Bronze Highland, Daggerfly, and StormBamboo. They target entities in Taiwan and Hong Kong, employing sophisticated attack strategies.

2. **Recent Attack:** A government body and a religious organization in Taiwan fell victim to Evasive Panda, which deployed a new tool named **CloudScout**.

3. **CloudScout Toolset:**
– Detected between May 2022 and February 2023.
– Utilizes a .NET-based framework with 10 modules, three specifically designed to extract data from Google Drive, Gmail, and Outlook.
– Surprisingly includes custom libraries, referred to as **CommonUtilities**, enhancing flexibility over available open-source options.

4. **Attack Mechanism:**
– CloudScout hijacks authenticated sessions using a **pass-the-cookie** method to gain unauthorized access to targeted cloud services.
– The data collected (including emails and specific file types) is compressed and exfiltrated using other malware (MgBot or Nightdoor).

5. **Security Response:** Google is introducing new security measures, such as Device Bound Session Credentials (DBSC) and App-Bound Encryption, which may mitigate the effectiveness of cookie-theft methodologies like those used by CloudScout.

6. **Wider Context:** Recent reports from the Government of Canada highlight a state-sponsored cyber threat targeting multiple domains, including government and critical infrastructure sectors.

#### Action Items:
– Stay informed about developments in cybersecurity threats, especially those linked to state-sponsored actors.
– Evaluate current security protocols in light of new attack methodologies to enhance cloud security defenses.
– Consider the implications of enhanced security measures from cloud service providers and how they affect existing vulnerabilities.

#### Conclusion:
The meeting provided critical insights into the evolving landscape of cyber threats, emphasizing the need for vigilance and proactive measures in cybersecurity strategy and response.

Full Article