Uncovering Espionage Operations

June 24, 2024, 8:23 a.m.

Tags
espionage
rootkit
supply chain
zero-day
2024-06-24
CVE-2022-42475
CVE-2023-20867
CVE-2023-34048
CVE-2022-41328
CVE-2022-22948
virtualsphere
External References
Description

This comprehensive analysis delves into the intricate tactics employed by a suspected China-nexus cyber espionage actor, UNC3886. The report unveils the group's sophisticated exploitation of zero-day vulnerabilities and their deployment of rootkits like REPTILE and MEDUSA for persistent system access. It explores their use of malware leveraging trusted third-party services for command and control, as well as their techniques for credential theft, including backdoored applications and targeting TACACS+ authentication servers. The group's operations spanned strategic global organizations across diverse sectors, emphasizing their advanced capabilities and cautious, evasive approach.

Date

Published: June 24, 2024, 7:58 a.m.

Created: June 24, 2024, 7:58 a.m.

Modified: June 24, 2024, 8:23 a.m.

Indicators

1893523f2a4d4e7905f1b688c5a81b069f06b3c3d8c0ff9d16620468d117edbb

8.222.216.144

8.219.131.77

8.219.0.112

8.210.75.218

8.210.103.134

58.64.204.165

58.64.204.142

58.64.204.139

47.252.54.82

47.251.46.35

47.243.116.155

47.241.56.157

207.246.64.38

165.154.135.108

165.154.7.145

165.154.134.40

152.32.231.251

155.138.161.47

152.32.205.208

152.32.129.162

123.58.207.86

123.58.196.34

118.193.61.71

118.193.63.40

118.193.61.178

103.232.86.210

103.232.86.217

103.232.86.209

8.222.218.20

47.246.68.13

45.32.252.98

45.77.106.183

154.216.2.149

149.28.122.119

152.32.144.15

reptile.shell

number.rs

cron.data

Download all indicators here!

Attack Patterns

VIRTUALSPHERE

VIRTUALPIE

VIRTUALSHINE

RIFLESPINE

MOPSLED

Medusa

REPTILE

UNC3886

T1003.001

T1556

T1110

T1136

T1059.001

T1555

T1071.001

T1071

T1040

T1560

T1053

T1056

T1003

T1059

CVE-2023-20867

CVE-2022-41328

CVE-2022-22948

CVE-2023-34048

CVE-2022-42475