October 10, 2023 at 09:54AM
A new advanced persistent threat (APT) group called Grayling has been targeting Taiwanese organizations, as well as a government entity in the Asia-Pacific region and organizations in the US and Vietnam. The group likely operates from a region with a strategic interest in Taiwan, implying a possible link to China. Grayling uses various tools and techniques to gain access and deploy payloads, with an emphasis on staying hidden and gathering intelligence. The motive appears to be intelligence gathering rather than financial gain.
Key takeaways from the meeting notes:
1. A previously unknown advanced persistent threat (APT) actor named Grayling has been targeting Taiwanese organizations, a government entity in the Asia-Pacific region, and organizations in the US and Vietnam for intelligence gathering.
2. Symantec believes Grayling is likely linked to China based on the heavy targeting of Taiwanese organizations.
3. The observed attacks exploited web-facing assets and used a DLL sideloading technique to deploy custom malware and publicly available tools.
4. Tools used by Grayling include Havoc, Cobalt Strike, NetSpy, Mimikatz, various downloaders, and an unknown payload.
5. Grayling also exploited a privilege escalation bug in Windows (CVE-2019-0803) and performed Active Directory discovery.
6. Grayling aimed to stay hidden and prevent detection, indicating a focus on gathering intelligence rather than financial gain.
7. The sectors targeted by Grayling include manufacturing, IT, biomedical, and government, which are most likely to be targeted for intelligence gathering.
Full Article – https://ift.tt/e6djPqX