Stolen session tokens can wreak havoc on your data. The Chinese-linked threat actor Evasive Panda is targeting government entities and a religious organization in Taiwan using a previously undocumented toolset called CloudScout.
What is CloudScout?
According to ESET security researcher Anh Ho, CloudScout does this through the leveraging of stolen web session cookies to access data from cloud services. Cloudscout operates through a plugin that integrates seamlessly with MgBot, Evasive Panda’s main malware framework. Between May 2022 and February 2023, CloudScout was used to steal data from platforms like Google Drive, Gmail, and Outlook.
Evasive Panda, known for cyber espionage across Taiwan and Hong Kong, uses various methods to gain initial access to victims’ systems, exploiting security flaws to deploy its malware. CloudScout hijacks authenticated browser sessions by stealing user cookies, then accessing Google Drive, Gmail, and Outlook through MgBot’s malicious plugin. Collected information is then compressed into a ZIP archive for exfiltration.
How to fight back
Stolen session tokens can wreak havoc on your data. Fortunately, new security mechanisms such as Google’s Device Bound Session Credentials (DBSC) and App-Bound Encryption offer defenses against cookie-theft malware.
As the above indicated, hackers are always trying to find new ways into organizational systems and often utilize trusted vectors such as email and apps to do so. Interested in learning how to protect your organization in today’s evolving threat landscape? Join us on November 12th from 2-4:30 p.m. at 10 Barrel Eastside in Bend, Oregon, for an interactive cybersecurity workshop. We’ll explore scenarios, share prevention tips, and offer essential insights for staying secure.
Scan the QR code or click here to sign up!