{ "name": "Uncovering Espionage Operations", "slug": "uncovering-espionage-operations", "description": "This comprehensive analysis delves into the intricate tactics employed by a suspected China-nexus cyber espionage actor, UNC3886. The report unveils the group's sophisticated exploitation of zero-day vulnerabilities and their deployment of rootkits like REPTILE and MEDUSA for persistent system access. It explores their use of malware leveraging trusted third-party services for command and control, as well as their techniques for credential theft, including backdoored applications and targeting TACACS+ authentication servers. The group's operations spanned strategic global organizations across diverse sectors, emphasizing their advanced capabilities and cautious, evasive approach.", "published": "2024-06-24T05:58:21+00:00", "created_at": "2024-06-24T05:58:21+00:00", "modified_at": "2024-06-24T06:23:07+00:00", "created_at_opencti": "2024-06-24T05:58:21+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2024-06-24", "CVE-2022-22948", "CVE-2022-41328", "CVE-2022-42475", "CVE-2023-20867", "CVE-2023-34048", "espionage", "rootkit", "supply-chain", "virtualsphere", "zero-day" ], "related_entities": { "observables": [ { "id": "", "name": "8.222.216.144" }, { "id": "", "name": "8.219.131.77" }, { "id": "", "name": "8.219.0.112" }, { "id": "", "name": "8.210.75.218" }, { "id": "", "name": "8.210.103.134" }, { "id": "", "name": "58.64.204.165" }, { "id": "", "name": "58.64.204.142" }, { "id": "", "name": "58.64.204.139" }, { "id": "", "name": "47.252.54.82" }, { "id": "", "name": "47.251.46.35" }, { "id": "", "name": "47.243.116.155" }, { "id": "", "name": "47.241.56.157" }, { "id": "", "name": "207.246.64.38" }, { "id": "", "name": "165.154.135.108" }, { "id": "", "name": "165.154.7.145" }, { "id": "", "name": "165.154.134.40" }, { "id": "", "name": "152.32.231.251" }, { "id": "", "name": "155.138.161.47" }, { "id": "", "name": "152.32.205.208" }, { "id": "", "name": "152.32.129.162" }, { "id": "", "name": "123.58.207.86" }, { "id": "", "name": "123.58.196.34" }, { "id": "", "name": "118.193.61.71" }, { "id": "", "name": "118.193.63.40" }, { "id": "", "name": "118.193.61.178" }, { "id": "", "name": "103.232.86.210" }, { "id": "", "name": "103.232.86.217" }, { "id": "", "name": "103.232.86.209" }, { "id": "", "name": "8.222.218.20" }, { "id": "", "name": "47.246.68.13" }, { "id": "", "name": "45.32.252.98" }, { "id": "", "name": "45.77.106.183" }, { "id": "", "name": "154.216.2.149" }, { "id": "", "name": "149.28.122.119" }, { "id": "", "name": "152.32.144.15" }, { "id": "", "name": "reptile.shell" }, { "id": "", "name": "number.rs" }, { "id": "", "name": "cron.data" }, { "id": "", "name": "1893523f2a4d4e7905f1b688c5a81b069f06b3c3d8c0ff9d16620468d117edbb" } ], "malware": [ { "id": "legacy:malware:b92e121ddfb20880", "name": "VIRTUALSPHERE", "slug": "virtualsphere" }, { "id": "72ba902d-2511-43e9-9892-699ceb231893", "name": "VIRTUALPIE", "slug": "virtualpie" }, { "id": "legacy:malware:c8f389292dcf1168", "name": "VIRTUALSHINE", "slug": "virtualshine" }, { "id": "legacy:malware:8d076462c43c8af0", "name": "RIFLESPINE", "slug": "riflespine" }, { "id": "legacy:malware:ffe260477482fc9d", "name": "MOPSLED", "slug": "mopsled" }, { "id": "11c326b4-9d4e-4210-89da-05336d554bed", "name": "Medusa", "slug": "medusa" }, { "id": "bb7597b1-de37-4115-b996-3d619ccacf47", "name": "REPTILE", "slug": "reptile" } ], "intrusion_sets": [ { "id": "ecd38658-7b26-4e54-9440-ad92cd6ef070", "name": "UNC3886", "slug": "unc3886" } ], "attack_patterns": [ { "id": "e6c0ca23-78ee-4b0e-96fa-e80efab3665d", "name": "T1003.001" }, { "id": "3da78f6d-c968-43ce-b1f3-149ce4a042aa", "name": "T1556" }, { "id": "444de5e0-bd7f-4700-b700-26320057dd80", "name": "T1110" }, { "id": "19ce62bb-3faf-4d09-90b1-d82fce1ba8b0", "name": "T1136" }, { "id": "32b33067-6566-4b8d-be80-e96f765d84de", "name": "T1059.001" }, { "id": "a72b6e11-a5d5-4f5a-8f0d-8861e90c34f7", "name": "T1555" }, { "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f", "name": "T1071.001" }, { "id": "dc342445-1b78-48b4-aa06-89ed2ad7c28e", "name": "T1071" }, { "id": "ed82bdd1-d346-48d1-98de-36a9a0a96489", "name": "T1040" }, { "id": "31d29704-da1c-47ea-b93f-76d368813bdf", "name": "T1560" }, { "id": "bb20a9e1-f4f6-459d-94f4-470c6867dc2d", "name": "T1053" }, { "id": "0b2b1ecd-d52e-492a-af08-050954bc03e5", "name": "T1056" }, { "id": "74d6e294-54d1-4a21-9dfc-df5870f8ec8e", "name": "T1003" }, { "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221", "name": "T1059" } ], "vulnerabilities": [ { "id": "", "name": "CVE-2023-20867" }, { "id": "", "name": "CVE-2022-41328" }, { "id": "", "name": "CVE-2022-22948" }, { "id": "", "name": "CVE-2023-34048" }, { "id": "", "name": "CVE-2022-42475" } ] }, "external_refs": [ "https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations", "https://otx.alienvault.com/pulse/6679271d75f66267fe0e5c98" ] }