Read on Twitter
This is the APT41 / Barium / Winnti / Wicked Panda / Wicked Spider intrusion group https://twitter.com/TheJusticeDept/status/1306252806366662659
Some interesting points for infosec folks:
1) Very rapid turnarounds of publicly disclosed security exploits into active campaigns
2) Most of this group's activities were targeting IoT/router/VPN things that corps are less good at quickly patching
1) Very rapid turnarounds of publicly disclosed security exploits into active campaigns
2) Most of this group's activities were targeting IoT/router/VPN things that corps are less good at quickly patching
(+annotated)
Part of what makes this group "advanced" is leveraging compromises to enable further compromises and persistence. So here, for example, compromising victim #1, stealing their code signing certs, and pushing signed malware to that victim's targeted customers
This is also a laundry-list of many key problems for infosec:
1) Spear-phishing: still problematic
2) Supply-chain (malicious update) compromises
3) Breaking into corp networks via rapid-turnaround public bugs in unpatched IoT/VPN/routers and then pivoting to the internal network
1) Spear-phishing: still problematic
2) Supply-chain (malicious update) compromises
3) Breaking into corp networks via rapid-turnaround public bugs in unpatched IoT/VPN/routers and then pivoting to the internal network
