Today > | 2 Medium vulnerabilities   -   You can now download lists of IOCs here!

U.S. Organization in China Targeted by Attackers

Dec. 6, 2024, 5:25 p.m.

Tags
apt
espionage
exfiltration
lateral movement
credential access
2024-12-06
textinputhost.dat
External References
Description

A large U.S. entity with significant operations in China faced a four-month-long cyber intrusion, likely conducted by a China-based threat actor. The attackers obtained persistent network access, laterally moved across systems, compromised Exchange servers to harvest emails, and deployed exfiltration tools, suggesting data theft. Tactics involved DLL sideloading, credential dumping, remote execution tools, and reconnaissance of Active Directory.

Date

Published: Dec. 6, 2024, 5:11 p.m.

Created: Dec. 6, 2024, 5:11 p.m.

Modified: Dec. 6, 2024, 5:25 p.m.

Indicators

ff91bbe7bd4e6d5498b1332f0ad233dcf0ad5fc0d31f870a92142731354d739c

f2fa6ae29306ed7171f2e9563ced9bbd6e337ed8c389b319df3c6b46eeb050f0

d32cc7b31a6f98c60abc313abc7d1143681f72de2bb2604711a0ba20710caaae

86fd8328765e4803feedf5878a08c149c08d47c336578261a08a3e1933b68daa

51fe904458e216e75909f82a33dc4f163250b498b4e2d365880184e806d3db1a

472a513eb60cba4a2320ebbc10d84679ebaa1a8f90e5a3764902a456b3936a17

23221b6f95b9e3b165a84570212f2c8681cf888aa0fa78822f8500357eeafaf0

1f6b69d11a3066e21c40002a25986c44e24a66f023a40e5f49eecaea33f5576d

edfae1a69522f87b12c6dac3225d930e4848832e3c551ee1e7d31736bf4525ef

c1bec59afd3c6071b461bb480ff88ba7e36759a949f4850cc26f0c18e4c811a0

http://149.28.154.23:443/vmtools.exe'

http://149.28.154.23:443/rar.exe'

http://149.28.154.23:443

Download all indicators here!

Attack Patterns

Suspected China-based threat actor

T1207

T1187

T1012

T1114

T1486

T1518

T1210

T1558

T1003

T1059

Additional Informations

China