Earth Kasha’s Campaign Exploiting Fortinet Vulnerability

Type

Campaign

Actors

🌏Earth Kasha

Pub. date

November 19, 2024

Initial access

1-day vulnerability

Impact

Data exfiltration

Observed techniques

Vulnerability exploitation DLL Side-Loading Phishing Credential theft

Observed tools

LODEINFO Cobalt Strike NOOPDOOR MirrorStealer

Targeted technologies

FortiOS Proself

References

https://www.trendmicro.com/en_us/research/24/k/lodeinfo-campaign-of-earth-kasha.html

Status

Finalized

Last edited

Nov 19, 2024 3:52 PM

Researchers discovered a new campaign by Earth Kasha, a threat group targeting Japan, Taiwan, and India since 2019, with connections to the broader APT10 umbrella. This recent campaign, beginning in 2023, employs updated TTPs, including exploiting vulnerabilities like CVE-2023-27997 (FortiOS/FortiProxy) for initial access. Earth Kasha uses a combination of malware, such as LODEINFO, NOOPDOOR, and MirrorStealer, to achieve persistence, steal credentials, and exfiltrate sensitive data. The group’s activities demonstrate overlaps with campaigns by other China-linked actors like Earth Tengshe and Volt Typhoon, suggesting potential 0-day sharing or third-party access brokers.