Murky Panda Hackers, also tracked as Silk Typhoon or Hafnium, have expanded their methods to exploit trusted cloud relationships. By compromising SaaS and cloud solution providers, the group infiltrates downstream customers and gains deep access to sensitive data. This marks a dangerous shift in tactics that leverages cloud trust to spread across multiple organizations.
How Murky Panda Hackers Operate
Targeting SaaS Providers
The group exploited zero-day flaws in SaaS providers to steal Entra ID application registration secrets. This allowed them to impersonate service principals, log into customer environments, and access valuable data such as emails.
Exploiting Cloud Solution Providers
Murky Panda Hackers compromised a Microsoft cloud solution provider with delegated administrative privileges. They hijacked an Admin Agent account, escalated privileges, and gained Global Administrator access across downstream tenants. Backdoor accounts and injected secrets ensured persistence and control.
Using Classic Intrusion Tactics
The group also exploits unpatched internet-facing systems, including Citrix NetScaler and Ivanti Pulse Connect VPN flaws. To maintain access, they deploy web shells like Neo-reGeorg and China Chopper. A custom Golang-based remote access trojan named CloudedHope provides persistence, decoys, and anti-analysis measures.
Stealth and Persistence
Murky Panda Hackers take extensive steps to hide their presence. They delete logs, change timestamps, and sanitize environments to obstruct detection. Compromised SOHO devices are used as exit nodes, disguising malicious traffic as local activity. This careful tradecraft allows them to remain in networks for extended periods.
Why This Matters
- Exploiting cloud trust is a rare but effective tactic.
- A single compromise can impact multiple downstream organizations.
- Access to Global Administrator accounts provides unmatched visibility and control.
- Traditional defenses often fail to detect activity hidden within trusted cloud traffic.
How Organizations Can Defend Themselves
- Audit Entra ID service principals and track suspicious credential activity.
- Monitor delegated admin accounts with MFA and log reviews.
- Patch exposed systems quickly, especially internet-facing software.
- Baseline normal behavior to detect anomalies in cloud activity.
Conclusion
Murky Panda Hackers demonstrate how trusted cloud relationships can be weaponized to attack downstream customers. By combining advanced cloud exploitation with traditional intrusion methods, the group poses a growing risk to organizations worldwide. Strong monitoring, patching, and identity security are critical to reducing exposure.
0 responses to “Murky Panda Hackers Exploit Cloud Trust to Breach Customers”