Cloud Security Risks Escalate with the Emergence of Murky Panda, a Potential Hazard to Trusted Network Connections

MURKY PANDA, a sophisticated adversary with a China-nexus, has been identified as a significant threat to various sectors, targeting cloud environments and compromising high-profile targets. This adversary, known for its intelligence-collection requirements, has been linked to backdoored service principals with privileges to read emails and add secrets to preexisting service principals and application registrations.

The backdoor was facilitated by one of the preexisting groups, which granted the necessary user privileges. This allowed MURKY PANDA to add secrets to preexisting service principals, establishing a second persistence point on the victim system.

To improve visibility and enhance security, it is recommended to enable Microsoft Graph activity logs. This can provide insights into resources accessed via Microsoft Graph and which service principal accessed those resources. Organizations should also hunt for service principal activities that deviate from expected actions, such as accessing unexpected resources like emails.

Regularly updating software in the cloud environment is crucial to ensure vulnerabilities are patched in a timely manner. This includes maintaining all edge devices at a recent software level and following vendor guidelines.

Organizations that rely heavily on cloud environments are innately vulnerable to trusted-relationship compromises in the cloud. To mitigate this risk, it is recommended to audit Microsoft Cloud Solution Provider accounts for the addition of new users. Closely monitoring devices prone to exploitation and investigating unusual login activity is also important.

In addition, analyzing sign-in patterns of the Entra ID tenant's service principals can help identify deviations from a regular schedule as suspicious. It is also recommended to audit Entra ID service principals' credentials, particularly newly added credentials. Hunting for Entra ID service principal sign-ins from unexpected networks can also help detect potential threats.

The name of the SaaS provider that was infringed by MURKY PANDA in at least two cases is Zoho. Leveraging the compromised user account, MURKY PANDA temporarily created a new user in a downstream victim's tenant and added this user to several preexisting groups. With control over those newly added secrets, MURKY PANDA successfully authenticated as those service principals, thereby escalating their privileges to those of the backdoored service principals.

MURKY PANDA continues to leverage sophisticated tradecraft to facilitate its espionage operations, targeting numerous sectors globally. By following these recommended steps, organizations can help protect themselves against MURKY PANDA's activity and maintain the security of their cloud environments.

Cloud Security Risks Escalate with the Emergence of Murky Panda, a Potential Hazard to Trusted Network Connections