Operation Crimson Palace: A Technical Deep Dive
Essential information
- Published
- 06/06/2024 07:55
- Modified
- 06/06/2024 08:20
- Tags
- 2024-06-06 ccoredoor cobalt strike credential access cyberespionage eagerbee impersoni-fake-ator intrusion lateral movement malware nupakage phantomnet pocoproxy powheartbeat rudebird
- Related entities
- 138 observables, 1 intrusion sets (apt), 15 techniques (mitre), 9 malware, 1 others
Description
Sophos Managed Detection and Response initiated a threat hunt across customers after detecting abuse of a vulnerable VMware executable. The hunt uncovered a complex, persistent cyberespionage campaign by Chinese state-sponsored actors targeting a high-profile government organization in Southeast Asia. Three distinct clusters of intrusion activity, designated Alpha, Bravo, and Charlie, were identified operating from at least March to December 2023. This report provides an in-depth technical analysis of the tactics, techniques, and procedures used by each cluster, including credential access, lateral movement, persistence mechanisms, command and control infrastructure, defense evasion tactics, and data exfiltration methods. It also details previous compromises observed within the same organization dating back to early 2022.
External references
- https://raw.githubusercontent.com/sophoslabs/IoCs/master/crimson_palace_post-08-2023.csv
- https://raw.githubusercontent.com/sophoslabs/IoCs/master/crimson_palace_prior_intrusions.csv
- https://raw.githubusercontent.com/sophoslabs/IoCs/master/crimson_palace_stac1305_charlie.csv
- https://raw.githubusercontent.com/sophoslabs/IoCs/master/crimson_palace_stac1870_bravo.csv
- https://raw.githubusercontent.com/sophoslabs/IoCs/master/crimson_palace_stac1248-alpha.csv
- https://news.sophos.com/en-us/2024/06/05/operation-crimson-palace-a-technical-deep-dive/
- https://otx.alienvault.com/pulse/66616b89c93e2fdea5783ecf