September 1, 2024 at 11:13PM
Unknown attackers have utilized Tencent’s cloud for a phishing campaign targeting Chinese entities, as uncovered by Securonix. The campaign involves delivering Cobalt Strike payloads through phishing emails, establishing persistence and remaining undetected within systems. The attack methodically targets specific Chinese business or government sectors, using advanced exploitation frameworks such as CobaltStrike.
Key takeaways from the meeting notes include the following:
– Tencent’s cloud infrastructure is being exploited by unknown attackers as part of a phishing campaign targeting Chinese entities.
– Threat detection vendor Securonix uncovered a covert campaign targeting Chinese-speaking users with Cobalt Strike payloads delivered through phishing emails.
– The attackers targeted specific Chinese-related business or government sectors by using file names related to Chinese regulations and references to “MACOS.”
– The attackers deployed a series of malicious tools and executables for reconnaissance, network scanning, port forwarding, shellcode execution, credential collection, and more.
– The attackers established persistent access, moved laterally, and exfiltrated information, including Active Directory configuration and public IP addresses.
– Securonix named the campaign “SLOW#TEMPEST,” highlighting the attackers’ willingness to lurk for an extended period in pursuit of their goals.
– The attackers are described as highly organized, sophisticated, and likely orchestrated by a seasoned threat actor with experience in advanced exploitation frameworks.
– There is no solid evidence linking the attack to any known APT groups, although potential affiliations with China, Russia, or North Korea are mentioned.