APT5
Associated Group Descriptions |
|
| Name | Description |
|---|---|
| BRONZE FLEETWOOD | (Citation: Secureworks BRONZE FLEETWOOD Profile) |
| Keyhole Panda | (Citation: Microsoft Threat Actor Naming July 2023)(Citation: Secureworks BRONZE FLEETWOOD Profile) |
| MANGANESE | (Citation: Microsoft Threat Actor Naming July 2023)(Citation: NSA APT5 Citrix Threat Hunting December 2022) |
| Mulberry Typhoon | (Citation: Microsoft Threat Actor Naming July 2023)(Citation: Microsoft East Asia Threats September 2023) |
| UNC2630 | (Citation: NSA APT5 Citrix Threat Hunting December 2022) |
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1098 | .007 | Account Manipulation: Additional Local or Domain Groups |
APT5 has created their own accounts with Local Administrator privileges to maintain access to systems with short-cycle credential rotation.(Citation: Mandiant Pulse Secure Update May 2021) |
| Enterprise | T1583 | .005 | Acquire Infrastructure: Botnet |
APT5 has acquired a network of compromised systems – specifically an ORB (operational relay box) network – for follow on activities.(Citation: ORB Mandiant) |
| Enterprise | T1560 | .001 | Archive Collected Data: Archive via Utility |
APT5 has used the JAR/ZIP file format for exfiltrated files.(Citation: Mandiant Pulse Secure Update May 2021) |
| Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
APT5 has used PowerShell to accomplish tasks within targeted environments.(Citation: Mandiant Pulse Secure Update May 2021) |
| .003 | Command and Scripting Interpreter: Windows Command Shell |
APT5 has used cmd.exe for execution on compromised systems.(Citation: Mandiant Pulse Secure Update May 2021) |
||
| Enterprise | T1136 | .001 | Create Account: Local Account |
APT5 has created Local Administrator accounts to maintain access to systems with short-cycle credential rotation.(Citation: Mandiant Pulse Secure Update May 2021) |
| Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
APT5 has staged data on compromised systems prior to exfiltration often in `C:\Users\Public`.(Citation: Mandiant Pulse Secure Update May 2021) |
| Enterprise | T1562 | .006 | Impair Defenses: Indicator Blocking |
APT5 has used the CLEANPULSE utility to insert command line strings into a targeted process to prevent certain log events from occurring.(Citation: Mandiant Pulse Secure Update May 2021) |
| Enterprise | T1070 | .003 | Indicator Removal: Clear Command History |
APT5 has cleared the command history on targeted ESXi servers.(Citation: Mandiant Pulse Secure Update May 2021) |
| .004 | Indicator Removal: File Deletion |
APT5 has deleted scripts and web shells to evade detection.(Citation: Mandiant Pulse Secure Zero-Day April 2021)(Citation: Mandiant Pulse Secure Update May 2021) |
||
| .006 | Indicator Removal: Timestomp |
APT5 has modified file timestamps.(Citation: Mandiant Pulse Secure Update May 2021) |
||
| Enterprise | T1056 | .001 | Input Capture: Keylogging |
APT5 has used malware with keylogging capabilities to monitor the communications of targeted entities.(Citation: FireEye Southeast Asia Threat Landscape March 2015)(Citation: Mandiant Advanced Persistent Threats) |
| Enterprise | T1036 | .005 | Masquerading: Match Legitimate Resource Name or Location |
APT5 has named exfiltration archives to mimic Windows Updates at times using filenames with a `KB |
| Enterprise | T1003 | .001 | OS Credential Dumping: LSASS Memory |
APT5 has used the Task Manager process to target LSASS process memory in order to obtain NTLM password hashes. APT5 has also dumped clear text passwords and hashes from memory using Mimikatz hosted through an RDP mapped drive.(Citation: Mandiant Pulse Secure Update May 2021) |
| .002 | OS Credential Dumping: Security Account Manager |
APT5 has copied and exfiltrated the SAM Registry hive from targeted systems.(Citation: Mandiant Pulse Secure Update May 2021) |
||
| Enterprise | T1021 | .001 | Remote Services: Remote Desktop Protocol |
APT5 has moved laterally throughout victim environments using RDP.(Citation: Mandiant Pulse Secure Update May 2021) |
| .004 | Remote Services: SSH |
APT5 has used SSH for lateral movement in compromised environments including for enabling access to ESXi host servers.(Citation: Mandiant Pulse Secure Update May 2021) |
||
| Enterprise | T1053 | .003 | Scheduled Task/Job: Cron |
APT5 has made modifications to the crontab file including in `/var/cron/tabs/`.(Citation: NSA APT5 Citrix Threat Hunting December 2022) |
| Enterprise | T1505 | .003 | Server Software Component: Web Shell |
APT5 has installed multiple web shells on compromised servers including on Pulse Secure VPN appliances.(Citation: Mandiant Pulse Secure Zero-Day April 2021)(Citation: Mandiant Pulse Secure Update May 2021) |
| Enterprise | T1078 | .002 | Valid Accounts: Domain Accounts |
APT5 has used legitimate account credentials to move laterally through compromised environments.(Citation: Mandiant Pulse Secure Zero-Day April 2021) |
| .004 | Valid Accounts: Cloud Accounts |
APT5 has accessed Microsoft M365 cloud environments using stolen credentials. (Citation: Mandiant Pulse Secure Update May 2021) |
||
References
- FireEye. (2015, March). SOUTHEAST ASIA: AN EVOLVING CYBER THREAT LANDSCAPE. Retrieved February 5, 2024.
- Mandiant. (n.d.). Advanced Persistent Threats (APTs). Retrieved February 14, 2024.
- Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
- Perez, D. et al. (2021, April 20). Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day. Retrieved February 5, 2024.
- Perez, D. et al. (2021, May 27). Re-Checking Your Pulse: Updates on Chinese APT Actors Compromising Pulse Secure VPN Devices. Retrieved February 5, 2024.
- Microsoft Threat Intelligence. (2023, September). Digital threats from East Asia increase in breadth and effectiveness. Retrieved February 5, 2024.
- National Security Agency. (2022, December). APT5: Citrix ADC Threat Hunting Guidance. Retrieved February 5, 2024.
- Secureworks CTU. (n.d.). BRONZE FLEETWOOD. Retrieved February 5, 2024.
- Raggi, Michael. (2024, May 22). IOC Extinction? China-Nexus Cyber Espionage Actors Use ORB Networks to Raise Cost on Defenders. Retrieved July 8, 2024.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.