- #Chinese espionage group deploys new compatible update#
- #Chinese espionage group deploys new compatible windows#
TA423 / Red Ladon: TA423 / Red Ladon is a China-based, espionage-motivated threat actor that has been active since 2013, targeting a variety of organisations in response to political events in the Asia-Pacific region, with a focus on the South China Sea. The targeting focus of TA423/Red Ladon on domestic Australian organisations, as well as entities involved with offshore energy exploration in the South China Sea.The history of the ScanBox framework and,.How this campaign correlates to threat activity dating back to June 2021 which leveraged RTF template injection.How this custom ScanBox script and related modules work.Recent targeted phishing campaigns that use URLs impersonating Australian media entities to deliver the ScanBox reconnaissance framework.It also correlates this campaign and its observed victimology with previous campaigns conducted by TA423 / Red Ladon which leveraged RTF template injection. Activity which overlaps with this threat actor has been publicly referred to in governmental indictments as “APT40” and “Leviathan.” This blog analyzes the structure and capabilities of the sample of ScanBox and the plugins identified in this campaign. The joint efforts of Proofpoint and PwC researchers provide a moderate confidence assessment that recent campaigns targeting the federal government, energy, and manufacturing sectors globally may represent recent efforts by TA423 / Red Ladon. Proofpoint and PwC Threat Intelligence have jointly identified a cyber espionage campaign, active since April 2022 through June, delivering the ScanBox exploitation framework to targets who visit a malicious domain posing as an Australian news website. Proofpoint’s research has been assisted by the PwC Threat Intelligence team to provide the information security community with a comprehensive view of the threat activity described. The targets of this recent campaign spanned Australia, Malaysia, and Europe, as well as entities that operate in the South China Sea. "China has conducted numerous intrusion campaigns along the BRI route to monitor potential obstructions – political, economic, and security – and we anticipate that UNC215 will continue targeting governments and organizations involved in these critical infrastructure projects in Israel and the broader Middle East in the near- and mid-term.Proofpoint’s Threat Research Team details a recent cyber espionage campaign targeting entities globally and conducted by a threat actor publicly which was attributed in 2021 by multiple governments and was the focus of a 2021 indictment by the US Department of Justice. "This cyber espionage activity is happening against the backdrop of China's multi-billion-dollar investments related to the Belt and Road Initiative (BRI) and its interest in Israel’s robust technology sector," the post states. The perils of non-disclosure? China 'cloned and used' NSA zero-day exploit for years before it was made publicįireEye has no hesitation attributing the group's activities to "China's consistent strategic interest in the Middle East.China pushes back against Exchange attack sponsorship claims.
#Chinese espionage group deploys new compatible windows#
Splunk spots malware targeting Windows Server on AWS to mine Monero.
Some file paths include directories named /Iran.
UNC215 also lays a false breadcrumb trail to Iran, using its official Farsi language in some strings.
#Chinese espionage group deploys new compatible update#
After several months of repeated detections, UNC215 deployed an updated version of HYPERBRO, and a tool called 'anti.exe' to stop Windows Update service and terminate EDR and Antivirus related services." On one occasion FireEye observed "an operator repeatedly and infrequently revisited a compromised network whenever an Endpoint Detection and Response tool detected or quarantined tools like HYPERBRO and Mimikatz.
0 kommentar(er)
