Earth Kasha’s Campaign Exploiting Fortinet Vulnerability

Researchers discovered a new campaign by Earth Kasha, a threat group targeting Japan, Taiwan, and India since 2019, with connections to the broader APT10 umbrella. This recent campaign, beginning in 2023, employs updated TTPs, including exploiting vulnerabilities like CVE-2023-27997 (FortiOS/FortiProxy) for initial access. Earth Kasha uses a combination of malware, such as LODEINFO, NOOPDOOR, and MirrorStealer, to achieve persistence, steal credentials, and exfiltrate sensitive data. The group’s activities demonstrate overlaps with campaigns by other China-linked actors like Earth Tengshe and Volt Typhoon, suggesting potential 0-day sharing or third-party access brokers.