A Chinese threat actor known as Earth Lamia has been exploiting web application vulnerabilities, mainly SQL injection flaws, to target organizations across multiple sectors globally. Their operations involve deploying backdoors, creating admin accounts, and establishing persistent access, with connections to other espionage campaigns. #EarthLamia #SQLInjection #ChineseThreatActor
Keypoints
- Earth Lamia has been active since at least 2023, focusing on various industries such as finance, government, and IT.
- The group exploits known vulnerabilities, including CVE-2017-9805 (Apache Struts) and CVE-2024-9047 (WordPress), to gain initial access.
- Once inside, they deploy webshells, escalate privileges, and establish persistence through custom backdoors and account creation.
- The threat actors use legitimate utilities, open-source tools, and custom loaders to execute malicious shellcodes like Cobalt Strike.
- Earth Lamia is linked to wider espionage campaigns including REF0657 and the Chinese threat actor DragonRank, targeting multiple countries and sectors.
Read More: https://www.securityweek.com/chinese-hacking-group-earth-lamia-targets-multiple-industries/