MirrorFace Hackers Target EU Diplomats Using Expo Bait
MirrorFace Targets EU Diplomatic Organization: A New Chapter in Cyber Threats
In a significant development in the cybersecurity landscape, the China-aligned hacking group known as MirrorFace has been observed targeting a diplomatic organization within the European Union. This marks the first instance of this notorious threat actor extending its operations into European territory. According to ESET’s recent APT Activity Report covering April to September 2024, this incident highlights a concerning trend as MirrorFace continues to evolve its tactics while maintaining a focus on Japan and related events, notably the upcoming World Expo in Osaka in 2025.
Understanding MirrorFace: The New Wave of Cyber Threats
MirrorFace, also referred to as Earth Kasha, is part of a broader group known as APT10, which includes other clusters like Earth Tengshe and Bronze Starlight. Since its emergence, the group has primarily targeted Japanese organizations, with operations dating back to 2019. However, a recent campaign has seen its reach expand to include Taiwan and India, showcasing the group’s adaptability and growing ambitions.
- Key Malware Tools Used by MirrorFace:
- ANEL (also known as UPPERCUT)
- LODEINFO
- NOOPDOOR (also referred to as HiddenFace)
- MirrorStealer (a credential-stealing tool)
The Latest Attack: Spear-Phishing and Malware Deployment
In the latest detected attack, a victim received a spear-phishing email containing a deceptive link to a ZIP archive titled "The EXPO Exhibition in Japan in 2025.zip," hosted on Microsoft OneDrive. The ZIP file contained a Windows shortcut file that, when executed, initiated a malware infection sequence deploying both ANEL and NOOPDOOR.
ESET noted the resurgence of ANEL, which had been dormant since early 2019, making its reappearance particularly noteworthy. The hacking crew’s increasing sophistication highlights a trend of using advanced tactics to breach security measures.
Broader Context: China-Aligned Threat Actors on the Rise
This incident is part of a larger pattern where China-affiliated threat actors, including groups like Flax Typhoon, Granite Typhoon, and Webworm, are utilizing open-source tools like SoftEther VPN to maintain persistent access to compromised networks. A recent report from Bloomberg revealed that the China-linked Volt Typhoon had successfully breached Singapore Telecommunications (Singtel) as part of a larger campaign targeting critical infrastructure.
Telecommunication providers in the U.S., such as AT&T and Verizon, have also become targets of another Chinese nation-state group known as Salt Typhoon. These coordinated attacks are designed to infiltrate sensitive communications channels used by U.S. officials, demonstrating the extensive reach and ambition of these cyber adversaries.
Emerging Threats: New Vulnerabilities Exploited by MirrorFace
According to an analysis published by Trend Micro on November 19, 2024, MirrorFace has begun weaponizing security vulnerabilities in various enterprise products. Key vulnerabilities include:
- Array AG (CVE-2023-28461)
- Proself (CVE-2023-45727)
- Fortinet FortiOS/FortiProxy (CVE-2023-27997)
After exploiting these vulnerabilities for initial access, the group deploys multiple backdoors, including Cobalt Strike, LODEINFO, and the newly identified NOOPDOOR. This sophisticated implant operates using a dual-channel communication method, employing different encryption algorithms for active and passive modes, further complicating detection and mitigation efforts.
For more insights on cybersecurity threats and the evolving tactics of advanced persistent threat groups, consider reading our related articles on cybersecurity best practices and threat detection strategies.
Stay Informed and Engaged
This developing story underscores the need for heightened awareness regarding cybersecurity threats. We invite readers to share their thoughts on this issue and explore further articles for a deeper understanding of the current cyber threat landscape. Follow us on Twitter and LinkedIn for the latest updates and exclusive content.