Specifically, the second variant was discovered to have exploited outdated F5 BIG-IP devices as a covert channel to transmit commands via a reverse SSH tunnel to the external C&C server, emphasizing once more how compromised edge appliances can give threat actors prolonged persistence. A vulnerable edge service, or software that can be accessed over the internet, is the only prerequisite for a mass exploitation incident to take place. These kinds of devices are frequently used to increase network security, but on numerous occasions, attackers have found and taken advantage of weaknesses in them, giving them the ideal entry point into a target network.

The presence of additional programs for capturing network packets and a SOCKS tunneling utility dubbed EarthWorm that has been used by actors like Gelsemium and Lucky Mouse, as well as a tool named PMCD that polls the threat actor's C&C server every 60 minutes to look for commands to execute, have also been discovered during subsequent forensic analysis of the compromised F5 devices.

It is yet unknown exactly what initial access vector was utilized to enter the target environment, be it spear-phishing or making use of known security holes in systems exposed to the internet. This comes after it was noticed that three new China-related clusters—Unfading Sea Haze, Operation Diplomatic Specter, and Operation Crimson Palace—were targeting Asia in an attempt to obtain classified intelligence.

Impact

• Sensitive Data Theft
• Data Exfiltration
• Cyber Espionage

Indicators of Compromise

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Ensure all operating systems and software are up to date with the latest security patches.
• Employ reliable antivirus and antimalware software to detect and block known threats.
• Regularly update these tools to maintain the latest threat intelligence.
• Implement IDPS to detect and prevent unusual network activity, system behavior, or similar threats.
• Enable two-factor authentication (2FA) on your accounts adds an extra layer of security and can help prevent unauthorized access even if your login credentials have been stolen.
• Regularly backing up your important data can help ensure that you don’t lose any critical information in the event of a malware infection or other data loss event.
• Be wary of emails, attachments, and links from unknown sources. Also, avoid downloading software from untrusted sources or clicking on suspicious ads or pop-ups.
• Use email filtering solutions to block malicious attachments and links that may deliver malware to users via phishing emails.
• Segment your network to limit lateral movement for attackers.
• Employ application whitelisting to only allow approved software to run on systems, reducing the risk of unauthorized applications being executed.
• Implement robust monitoring solutions to detect any unusual or suspicious activities, such as unauthorized access attempts or data exfiltration. Establish an effective incident response plan to respond to and mitigate any potential breaches quickly.
• Make sure all of your software, including your operating system and applications, is up-to-date with the latest security patches. This can help prevent vulnerabilities that info-stealers and other types of malware could exploit.