One Article Review
| Source |  Mandiant |
|---|---|
| Identifiant | 8520461 |
| Date de publication | 2024-06-18 14:00:00 (vue: 2024-06-18 14:09:56) |
| Titre | Couchée et secrète: Découvrir les opérations d'espionnage UNC3886 Cloaked and Covert: Uncovering UNC3886 Espionage Operations |
| Texte | Written by: Punsaen Boonyakarn, Shawn Chew, Logeswaran Nadarajan, Mathew Potaczek, Jakub Jozwiak, Alex Marvi
Following the discovery of malware residing within ESXi hypervisors in September 2022, Mandiant began investigating numerous intrusions conducted by UNC3886, a suspected China-nexus cyber espionage actor that has targeted prominent strategic organizations on a global scale. In January 2023, Mandiant provided detailed analysis of the exploitation of a now-patched vulnerability in FortiOS employed by a threat actor suspected to be UNC3886. In March 2023, we provided details surrounding a custom malware ecosystem utilized on affected Fortinet devices. Furthermore, the investigation uncovered the compromise of VMware technologies, which facilitated access to guest virtual machines. Investigations into more recent operations in 2023 following fixes from the vendors involved in the investigation have corroborated Mandiant\'s initial observations that the actor operates in a sophisticated, cautious, and evasive nature. Mandiant has observed that UNC3886 employed several layers of organized persistence for redundancy to maintain access to compromised environments over time. Persistence mechanisms encompassed network devices, hypervisors, and virtual machines, ensuring alternative channels remain available even if the primary layer is detected and eliminated. This blog post discusses UNC3886\'s intrusion path and subsequent actions that were performed in the environments after compromising the guest virtual machines to achieve access to the critical systems, including: The use of publicly available rootkits for long-term persistence Deployment of malware that leveraged trusted third-party services for command and control (C2 or C&C) Subverting access and collecting credentials with Secure Shell (SSH) backdoors Extracting credentials from TACACS+ authentication using custom malware Mandiant has published detection and hardening guidelines for ESXi hypervisors and attack techniques employed by UNC3886. For Google SecOps Enterprise+ customer |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | $code $code1 $code2 $debug1 $debug2 $debug3 $debug4 $debug5 $debug6 $debug7 $forpid $marker1 $pattern1 $pattern2 $socket $str1 $str2 $str3 $str4 $str5 $str6 $str7 $vmci $vmsyslogd /bin /bin/bash /bin/sh /dev/vsock /lib/modules//kernel/drivers// /lib64/libseconfd /sc /tmp /tmp/ /tmp/orbit /tmp/syslog /tmp/update /update /usr/bin/ /usr/bin//kernel/drivers/ /usr/bin/networkmanage /usr/bin/ssh /usr/bin/tac /usr/lib/libc /usr/lib/libseconf/local /usr/lib/libseconf/sshpass /usr/lib/libseconf/sshpass2 /usr/lib/locate/ /usr/lib/locate/local /usr/sbin/auditd /usr/sbin/libvird /usr/sbin/sshd /var/lib/fwupdd/ /var/lib/libsyslog /var/log/ldapd /var/log/remote /var/log/tac /var/log/tacucs /var/run/cron /vmfs/devices/char/vsock/vsock 022 047ac6aebe0fe80f9f09c5c548233407 084132b20ed65b2930129b156b99f5b3 0:8 0e43a0f747a60855209b311d727a20bf 0f76936e237bd87dfa2378106099a673 0p1 0x0 0x01 0x03 0x464c457f 0xaa 0xc 0xc0 0xef 103 106 1079d416e093ba40aa9e95a4c2a5b61f 108 10s 112 116 118 119 122 123 128 129 129ba90886c5f5eb0c81d901ad10c622 131 134 135 135377 138 139 142 144 145 149 152 154 155 157 15s 161 162 165 17444 178 183 193 196 1>& 1b7aee68f384e252286559abc32e6dd1 1d89b48548ea1ddf0337741ebdb89d92 1qaz@wsx3edc123 2012 2020 2021 2022 20220615 2023 2024 204 20473 205 207 208 20867 209 20s 210 216 217 218 219 222 22948 231 232 23:28:07 241 243 246 251 252 2716c60c28cf7f7568f55ac33313468b 2>& 2bade2a5ec166d3a226761f78711ce2f 2c28ec2d541f555b2838099ca849f965 34048 381b7a2a6d581e3482c829bfb542a7de 3a8a60416b7b0e1aa5d17eefb0a45a16 3c7316012cba3bbfa8a95d7277cda873 41328 42475 4282de95cc54829d7ac275e436e33b78 443 443/open/tcp//https/// 45102 4786 4786/open/tcp//smart 48f9bbdb670f89fce9c51ad433b4f200 49beta1 4;443 4d5e4f64a9b56067704a977ed89aa641 4ddca39b05103aeb075ebb0e03522064 4fb72d580241f27945ec187855efd84a 55720 568074d60dd4759e963adc5fe9f15eb1 5d232b72378754f7a6433f93e6380737 5mb 61ab3f6401d60ec36cd3ac980a8deb75 62bed88bd426f91ddbbbcfcd8508ed6a 6e248f5424810ea67212f1f2e4616aa5 6pf 7ujm^yhn 827d8ae502e3a4d56e6c3a238ba855a7 876787f76867ecf654019bd19409c5b8 8907 89339821cdf6e9297000f3e6949f0404 8e80b40b1298f022c7f3a96599806c43 902 902/open/tcp//ideafarm 969d7f092ed05c72f27eef5f2c8158d6 9c428a35d9fc1fdaf31af186ff6eec08 9ea86dccd5bbde47f8641b62a1eeff07 9ef5266a9fdd25474227c3e33b8e6d77 |
| Tags | Malware Tool Vulnerability Threat Cloud Technical |
| Stories | APT 41 |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.