当前位置:首页 > 报告详情

揭开九头蛇的真面目:曝光中国政府支持的针对外国政府的多头行动.pdf

上传人: 竿*** 编号:981613 2025-11-29 66页 4.76MB

1、#BHUSA BlackHatEventsUnveiling a Multi-Headed Chinese State-Sponsored Campaign Against a Foreign GovernmentSpeakers:Mark Parsons&Morgan DemboskiSurfacing a HydraSurfacing a HydraImage:Taylor JamesIntroductionsMorgan DemboskiThreat Intelligence AnalystWashington,DCMorgan_Demboski Mark ParsonsSenior T

2、hreat HunterCharleston,South Carolina,USAsecurity_dumpster_mcp_ l2TLP:GREEN3 Two-stage campaign Multiple active&coordinated groups Broad targeting of critical organizations in SE Asia3A years-long cyberespionagecampaign tracked by Sophos MDR,attributed to Chinese state-sponsored actorsBRAVOCHARLIEAL

3、PHAOperation Crimson Palace:Stage 1TLP:GREENCluster Charlie Returns&Cluster Bravo Expands:Stage 2Cluster Analysis&Assessing OverlapC2 Gap AnalysisBackgroundBackgroundSPADE ToolTakeawaysTakeaways&Q&Q&A&AAgenda4Operation Crimson Palace:Stage 1Operation Crimson Palace:Stage 1Operation Crimson Palace:St

4、age 2Operation Crimson Palace:Stage 2Background5VictimologySE Asian government organizationoCampaign later expanded to other critical organizations in the regionoHistory of conflict with China over South China Sea(SCS)6Source:Xmultiverse_orgImmediate ChallengesOnboarded with existing long-term breac

5、hoRelated activitydating back to early 2022Lack of full visibility/MDR deployed to a subset of the estateIf we cant take mitigation actions If we cant take mitigation actions directly,directly,what can we as defenders do to make the most of the situation?7Source:David TrussInitial Triage8How did it

6、start?vmnat.exeExecution ContextHost:Office 365 Integrations ServerPath:C:ProgramDataMicrosoftVaultvmnat.exepowershell.exe154.39.137.29SophosUD.exe(PowHeartBeat)cmd.exe443|%echo(new-object Net.Sockets.TcpClient).Connect(www.msudapis.info,$_)$_ is open!2$nullSslwnd64.exe(PhantomNet)PowerShell TCP Cli

word格式文档无特别注明外均可编辑修改,预览文件经过压缩,下载原文更清晰!
三个皮匠报告文库所有资源均是客户上传分享,仅供网友学习交流,未经上传用户书面授权,请勿作商用。
根据《Operation Crimson Palace》报告,Sophos MDR发现了一场由中国支持的网络间谍活动,针对东南亚政府机构和其他关键组织。以下是关键点: 1. 持续多年的网络间谍活动,分为两个阶段。 2. 活动涉及多个协调的“小组”,广泛针对东南亚关键组织。 3. 阶段一发现13种恶意软件家族,包括Merlin C2代理、RUDEBIRD、PhantomNet等。 4. 阶段二,Cluster Charlie重新渗透网络,部署了Havoc C2框架和PocoProxy等工具。 5. 活动涉及窃取军事、网络安全和经济利益相关的敏感文件。 6. 使用了SPADE工具来检测恶意C2会话。 7. 活动表明中国支持的网络间谍活动持续增加,需要灵活的威胁狩猎和情报驱动防御。
中国APT攻击新动向?" 中国APT如何行动?" 中国APT的复杂策略!"
客服
商务合作
小程序
服务号
折叠