Skip to main content

OSINT - Game of Emperor: Unveiling Long Term Earth Estries Cyber Intrusions

Medium
Published: Wed Nov 27 2024 (11/27/2024, 00:00:00 UTC)
Source: MISP

Description

OSINT - Game of Emperor: Unveiling Long Term Earth Estries Cyber Intrusions

AI-Powered Analysis

AILast updated: 06/16/2025, 20:05:03 UTC

Technical Analysis

The threat titled "OSINT - Game of Emperor: Unveiling Long Term Earth Estries Cyber Intrusions" refers to a persistent and sophisticated cyber espionage campaign attributed to the threat actor group known as Earth Estries. This group has conducted long-term intrusions targeting various sectors including consulting, managed service providers, NGOs, and telecommunications. The campaign leverages multiple known vulnerabilities, notably several Microsoft Exchange Server vulnerabilities from 2021 (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065), as well as more recent vulnerabilities such as CVE-2023-46805, CVE-2023-48788, CVE-2024-21887, and CVE-2022-3236. These vulnerabilities primarily enable remote code execution, privilege escalation, and unauthorized access without requiring authentication, allowing attackers to establish persistent footholds within targeted networks. The campaign is characterized by multiple command and control (C&C) infrastructure IP addresses linked to sub-campaigns named Beta (GHOSTSPIDER, DEMODEX) and Alpha (SNAPPYBEE), indicating a complex, multi-stage operation. The threat actor exploits these vulnerabilities to infiltrate networks, exfiltrate sensitive data, and potentially disrupt operations. The use of multiple CVEs spanning several years suggests a long-term, evolving campaign that adapts to newly discovered vulnerabilities to maintain access. The affected countries listed are primarily outside Europe, but the sectors targeted and the vulnerabilities exploited are globally relevant, especially given the widespread use of Microsoft Exchange Server in enterprises worldwide. The campaign's medium severity rating reflects the significant risk posed by these vulnerabilities if exploited, though no known exploits are currently reported in the wild specifically tied to this campaign. The threat actor's focus on high-value sectors and use of multiple sophisticated vulnerabilities underscores the need for vigilance and proactive defense measures.

Potential Impact

For European organizations, the impact of this threat could be substantial due to the widespread deployment of Microsoft Exchange Server and similar infrastructure in critical sectors such as telecommunications, consulting, managed service providers, and NGOs. Successful exploitation could lead to unauthorized access, data breaches involving sensitive or confidential information, disruption of email and communication services, and potential lateral movement within networks to compromise additional systems. This could result in operational downtime, reputational damage, regulatory penalties under GDPR for data breaches, and financial losses. Given the long-term nature of the intrusions, organizations may face persistent threats that are difficult to detect and eradicate. The presence of multiple C&C servers and the use of several vulnerabilities increase the attack surface and complicate incident response efforts. Additionally, the targeting of managed service providers could have cascading effects, impacting multiple client organizations across Europe. The threat actor's ability to exploit vulnerabilities without authentication and without requiring user interaction further elevates the risk, as it lowers the barrier for successful attacks and increases the likelihood of widespread compromise if patches are not applied promptly.

Mitigation Recommendations

1. Immediate patching and updating of all Microsoft Exchange Servers and related infrastructure to address the listed CVEs, especially the critical 2021 Exchange vulnerabilities and recent CVEs such as CVE-2023-46805 and CVE-2024-21887. 2. Conduct comprehensive network and endpoint detection and response (EDR) scans to identify indicators of compromise related to the Earth Estries campaigns, including the IP addresses associated with their C&C infrastructure. 3. Implement strict network segmentation to limit lateral movement opportunities if a breach occurs, particularly isolating Exchange servers from other critical systems. 4. Enforce multi-factor authentication (MFA) on all administrative and remote access accounts to reduce the risk of credential compromise. 5. Monitor network traffic for unusual outbound connections to the known C&C IP addresses and domains associated with the threat actor campaigns (GHOSTSPIDER, DEMODEX, SNAPPYBEE). 6. Review and harden email server configurations to minimize exposure, including disabling legacy protocols and unnecessary services. 7. Engage in threat hunting exercises focused on the exploitation techniques linked to the identified CVEs and the Earth Estries TTPs (tactics, techniques, and procedures). 8. Collaborate with cybersecurity information sharing organizations to receive timely intelligence updates and share findings related to this threat. 9. Conduct user awareness training focused on recognizing signs of compromise and phishing attempts that may be used as initial attack vectors. 10. Maintain regular backups of critical data and verify the ability to restore systems quickly to mitigate the impact of potential ransomware or destructive attacks following intrusion.

Need more detailed analysis?Get Pro

Technical Details

Threat Level
3
Analysis
2

Indicators of Compromise

Vulnerability

ValueDescriptionCopy
vulnerabilityCVE-2023-46805
—
vulnerabilityCVE-2024-21887
—
vulnerabilityCVE-2023-48788
—
vulnerabilityCVE-2022-3236
—
vulnerabilityCVE-2021-26855
—
vulnerabilityCVE-2021-26857
—
vulnerabilityCVE-2021-26858
—
vulnerabilityCVE-2021-27065
—

Ip

ValueDescriptionCopy
ip139.59.108.43
Campaign Beta (GHOSTSPIDER)
ip185.105.1.243
Campaign Beta (GHOSTSPIDER)
ip143.198.92.175
Campaign Beta (GHOSTSPIDER)
ip139.99.114.108
Campaign Beta (GHOSTSPIDER)
ip139.59.236.31
Campaign Beta (GHOSTSPIDER)
ip104.194.153.65
Campaign Beta (GHOSTSPIDER)
ip45.125.67.144
Campaign Beta (DEMODEX)
ip43.226.126.164
Campaign Beta (DEMODEX)
ip172.93.165.10
Campaign Beta (DEMODEX)
ip193.239.86.168
Campaign Beta (DEMODEX)
ip146.70.79.18
Campaign Beta (DEMODEX)
ip146.70.79.105
Campaign Beta (DEMODEX)
ip205.189.160.3
Campaign Beta (DEMODEX)
ip96.9.211.27
Campaign Beta (DEMODEX)
ip43.226.126.165
Campaign Beta (DEMODEX)
ip103.75.190.73
Campaign Alpha (related C&C)
ip172.93.165.14
Campaign Alpha (related C&C)
ip91.245.253.27
Campaign Alpha (SNAPPYBEE)
ip158.247.222.165
Campaign Alpha (SNAPPYBEE)
ip23.81.41.166
Campaign Alpha (Open directory C&C)
ip165.154.227.192
Campaign Alpha (frpc)
ip103.91.64.214
Campaign Alpha (DEMODEX)

Threat ID: 6828eab7e1a0c275ea6e1eb0

Added to database: 5/17/2025, 7:59:51 PM

Last enriched: 6/16/2025, 8:05:03 PM

Last updated: 8/11/2025, 5:52:45 PM

Views: 19

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

External Links

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats