September 10, 2024 at 08:39AM
A renewed state-sponsored operation codenamed Crimson Palace, linked to China, has expanded its espionage efforts by compromising more government organizations in Southeast Asia. Cybersecurity firm Sophos identified three intrusion sets using compromised networks to deliver malware. The clusters employ various techniques, including C2 frameworks and open-source programs, to infiltrate, establish control, and exfiltrate data.
Based on the meeting notes, the key takeaways are as follows:
– A state-sponsored operation by China, codenamed Crimson Palace, has been observed compromising government organizations in Southeast Asia.
– The operation involves three threat activity clusters: Cluster Alpha, Cluster Bravo, and Cluster Charlie, utilizing intrusion sets tracked as STAC1248, STAC1870, and STAC1305.
– The attackers used compromised organizational and public service networks to deliver malware and tools, employing an unnamed organization’s systems as a command-and-control relay point and utilizing a compromised Microsoft Exchange Server to host malware.
– Crimson Palace attacks have been ongoing since March 2023, with renewed attacks observed between January and June 2024 targeting additional organizations and agencies in the region.
– Cluster Charlie, also known as Earth Longzhi, deploys C2 frameworks like Cobalt Strike, Havoc, and XieBroC2 for post-exploitation, with a heavy reliance on DLL hijacking to execute malware.
– The clusters work in coordination, with specific tasks in the attack chain: infiltration and reconnaissance (Alpha), burrowing into networks using C2 mechanisms (Bravo), and exfiltrating valuable data (Charlie).
Please let me know if you need any further clarification or additional information based on the meeting notes.