Particle.news
Download on the App Store
6 ARTICLES
·
4h ago

CrowdStrike Details Surge in China-Linked ‘Murky Panda’ Cloud Intrusions Targeting North America

Investigators say the actor is breaking into SaaS and managed cloud providers, weaponizing a Commvault zero-day and delegated admin paths to reach customers' email and data.

Image
cloud
Image

Overview

  • CrowdStrike says activity by Murky Panda has accelerated over the summer, with more than a dozen recent cases and active incident response work involving targets in government, technology, legal and professional services.
  • In at least two investigations, the attackers exploited zero-day flaws to penetrate SaaS providers, obtained Entra ID application secrets, then authenticated as service principals to access downstream customer mailboxes.
  • Commvault's CVE-2025-3928 was used as a zero-day to steal stored credentials that were later leveraged to enter victims' Microsoft 365 environments, according to Commvault and Microsoft notifications cited by researchers.
  • The group also breached a Microsoft cloud solution provider with delegated administrative privileges, gained Global Administrator access across tenants, created backdoor accounts and escalated via service principals to read email and maintain persistence.
  • Tradecraft includes rapid exploitation of internet-facing devices such as Citrix NetScaler (CVE-2023-3519), use of SOHO routers as infrastructure, deployment of web shells like neo-reGeorg and China Chopper, and a Golang RAT dubbed CloudedHope, as CrowdStrike tracks a sharp rise in China-linked cloud intrusions.