Podcast Summary: CyberWire Daily – "Pandas with a Purpose" [Research Saturday]

Release Date: May 24, 2025
Host: Dave Bittner
Guest: Deepen Desai, Chief Security Officer and EVP of Cyber and AI Engineering at Zscaler

Introduction

In the May 24, 2025 episode of CyberWire Daily titled "Pandas with a Purpose", host Dave Bittner engages in an in-depth discussion with Deepen Desai from Zscaler. The conversation centers around the cyber threat group Mustang Panda, their latest campaigns, sophisticated tools, and strategies for detection and mitigation.

Understanding Mustang Panda

Deepen Desai begins by outlining Mustang Panda’s origins and traditional targets. Mustang Panda is a threat actor group of Chinese origin, primarily targeting:

• Government Entities
• Military Organizations
• Minority Groups
• Non-Governmental Organizations (NGOs)

While traditionally focused on East Asia, there have been instances of Mustang Panda targeting entities in Europe as well.

Quote:
"[Deepen Desai, 01:33] Mustang Panda is of Chinese origin, traditionally targeting government-related entities, military entities, minority groups, and NGOs primarily located in East Asia."

Latest Campaigns and Tools

Desai delves into Mustang Panda’s recent activities, highlighting the discovery of two significant tools:

1. Toneshell

   • Description: An updated backdoor used by Mustang Panda.
   • Enhancements: Improved stealth capabilities through modified fake TLS command and control (C2) communication protocols and advanced encryption methods.

   Quote:
   "[04:12] The Toneshell variant we observed is definitely stealthier, utilizing updated command and control communication protocols through fake TLS headers and encryption methods to evade detection."

2. Star Proxy

   • Description: A new lateral movement tool facilitating the propagation within compromised networks.
   • Functionality: Acts as a relay to allow attackers to access adjacent devices that are otherwise difficult to reach directly.

   Quote:
   "[05:13] Star Proxy serves as a relay, enabling attackers to use compromised systems to reach adjacent devices, facilitating lateral movement within the network."

Technical Details and Evasion Techniques

Desai provides a technical breakdown of how Mustang Panda enhances its operations:

• Fake TLS Traffic:
  Imitates legitimate TLS traffic to disguise C2 communications, making it harder for security systems to detect malicious patterns.

• Custom Encryption Methods:
  Utilizes unique encryption to prevent pattern-based detection by security engines.

• DLL Code Injection:
  Injects code into legitimate processes to perform malicious activities, although this method is relatively easier to detect compared to their other sophisticated techniques.

• Persistence Tools:
  Employs keyloggers (PAC log, cork log) and specific evasion tools like Splat Cloak to disable endpoint detection and response (EDR) functionalities.

Quote:
"[06:09] Mustang Panda employs techniques such as imitating TLS traffic, custom encryption methods, and DLL code injection. Additionally, they use tools like PAC log, cork log, and Splat Cloak to disable EDR functionalities, enhancing their persistence within compromised environments."

Targets and Objectives

Mustang Panda's activities are primarily espionage-focused rather than financially motivated. Their targets include:

• Government and Military Entities:
  Seeking sensitive information and strategic data.

• Minority Groups and NGOs:
  Aiming to disrupt or gather intelligence on specific groups.

Quote:
"[10:05] Mustang Panda's activities are espionage-focused rather than financially motivated."

Detection and Mitigation Strategies

Desai outlines a comprehensive approach for organizations to defend against Mustang Panda’s sophisticated attacks:

1. Defense in Depth:
   Implement multiple layers of security controls to protect against various stages of an attack.

2. Zero Trust Strategy:
   Adopting a zero-trust model to ensure that all access requests are authenticated and authorized, minimizing the attack surface.

3. TLS Inspection:
   Utilize full TLS inspection at the network layer to detect disguised C2 traffic and malicious payloads.

4. Segmentation:
   Properly segmenting networks to restrict lateral movement, making it harder for attackers to propagate once inside.

5. Data Loss Prevention (DLP):
   Inspect all data egressing the environment to prevent unauthorized data exfiltration.

6. Advanced Controls via Zscaler Zero Trust Exchange:

   • Sandboxing: Detonates suspicious payloads in controlled environments to analyze malicious behavior.
   • Deception Honeypots: Deploys decoys to detect and contain malicious activities early in the attack lifecycle.

Quote:
"[10:14] Implementing a zero-trust strategy, conducting full TLS inspections, proper network segmentation, and deploying inline DLP solutions are critical in defending against Mustang Panda’s tactics."

Sophistication and Capabilities of Mustang Panda

Mustang Panda continues to evolve in sophistication, focusing on stealth and persistence:

• Tool Enhancements:
  Regular updates to their tools like Toneshell and the introduction of Star Proxy demonstrate their commitment to evading detection.

• Resource-Intensive Operations:
  The group is well-resourced, allowing them to develop and deploy advanced tools effectively.

Quote:
"[12:48] Mustang Panda's sophistication is increasing as they enhance their tools to become stealthier and disable endpoint controls, enabling longer persistence within targeted networks."

Recommendations and Takeaways for Security Professionals

Desai emphasizes key strategies for defenders:

1. Adopt Zero Trust Everywhere:
   Critical for protecting crown jewel assets that are the primary targets of sophisticated threat actors.

2. Leverage AI in Security Operations:
   While AI does not replace human security professionals, it enhances efficiency and efficacy in managing large-scale information and combating AI-driven threats.

Quote:
"[13:29] Implementing a zero-trust strategy and leveraging AI to fight AI are essential. While AI cannot replace security professionals, it significantly aids in managing and mitigating advanced threats."

Zscaler’s Role in Mitigating Threats

Desai elaborates on how Zscaler’s Zero Trust Exchange contributes to thwarting Mustang Panda’s attacks:

• Secure Connectivity:
  Ensures secure connections between entities, minimizing the risk of unauthorized access.

• Advanced Threat Controls:
  Features like sandboxing, deception, and inline DLP help detect and contain malicious activities.

• Global Research Integration:
  Continuous learning from threat signals helps Zscaler and its customers stay ahead of evolving threats.

Quote:
"[15:24] Zscaler's Zero Trust Exchange connects entities securely, employs advanced controls like sandboxing and deception, and integrates global threat intelligence to protect against sophisticated attacks like those from Mustang Panda."

Conclusion

The episode concludes with remarks on the persistent and evolving nature of threats posed by groups like Mustang Panda. The discussion underscores the necessity for robust, multi-layered security strategies and the integration of advanced tools and AI to effectively combat sophisticated cyber threats.

Quote:
"[17:01] Our thanks to Deepen Desai, Zscaler's Chief Security Officer, for joining us. The research follows Mustang Panda's latest campaign."

Produced by: Liz Stokes
Mixed by: Elliot Peltzman and Trey Hester
Executive Producer: Jennifer Ibin
Publisher: Peter Kilpe
Host: Dave Bittner

For more detailed insights and the latest in cybersecurity news, listen to CyberWire Daily and stay informed with expert analysis and discussions.