Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Преступная группа APT5
CVE уязвимости
БДУ ФСТЭК уязвимости
НКЦКИ уязвимости
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Преступная группа
APT5
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

APT5

APT5 is a China-based espionage actor that has been active since at least 2007 primarily targeting the telecommunications, aerospace, and defense industries throughout the U.S., Europe, and Asia. APT5 has displayed advanced tradecraft and significant interest in compromising networking devices and their underlying software including through the use of zero-day exploits.(Citation: NSA APT5 Citrix Threat Hunting December 2022)(Citation: Microsoft East Asia Threats September 2023)(Citation: Mandiant Pulse Secure Zero-Day April 2021)(Citation: Mandiant Pulse Secure Update May 2021)(Citation: FireEye Southeast Asia Threat Landscape March 2015)(Citation: Mandiant Advanced Persistent Threats)
ID: G1023
Associated Groups: Mulberry Typhoon, MANGANESE, Keyhole Panda, UNC2630, BRONZE FLEETWOOD
Created: 05 Feb 2024
Last Modified: 14 Mar 2024

Associated Group Descriptions
Name Description
Mulberry Typhoon (Citation: Microsoft Threat Actor Naming July 2023)(Citation: Microsoft East Asia Threats September 2023)
MANGANESE (Citation: Microsoft Threat Actor Naming July 2023)(Citation: NSA APT5 Citrix Threat Hunting December 2022)
Keyhole Panda (Citation: Microsoft Threat Actor Naming July 2023)(Citation: Secureworks BRONZE FLEETWOOD Profile)
UNC2630 (Citation: NSA APT5 Citrix Threat Hunting December 2022)
BRONZE FLEETWOOD (Citation: Secureworks BRONZE FLEETWOOD Profile)

Techniques Used
Domain ID Name Use
Enterprise T1098 .007 Account Manipulation: Additional Local or Domain Groups

APT5 has created their own accounts with Local Administrator privileges to maintain access to systems with short-cycle credential rotation.(Citation: Mandiant Pulse Secure Update May 2021)
Enterprise T1560 .001 Archive Collected Data: Archive via Utility

APT5 has used the JAR/ZIP file format for exfiltrated files.(Citation: Mandiant Pulse Secure Update May 2021)
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

APT5 has used PowerShell to accomplish tasks within targeted environments.(Citation: Mandiant Pulse Secure Update May 2021)
.003 Command and Scripting Interpreter: Windows Command Shell

APT5 has used cmd.exe for execution on compromised systems.(Citation: Mandiant Pulse Secure Update May 2021)

Enterprise T1136 .001 Create Account: Local Account

APT5 has created Local Administrator accounts to maintain access to systems with short-cycle credential rotation.(Citation: Mandiant Pulse Secure Update May 2021)
Enterprise T1074 .001 Data Staged: Local Data Staging

APT5 has staged data on compromised systems prior to exfiltration often in `C:\Users\Public`.(Citation: Mandiant Pulse Secure Update May 2021)
Enterprise T1562 .006 Impair Defenses: Indicator Blocking

APT5 has used the CLEANPULSE utility to insert command line strings into a targeted process to prevent certain log events from occurring.(Citation: Mandiant Pulse Secure Update May 2021)
Enterprise T1070 .003 Indicator Removal: Clear Command History

APT5 has cleared the command history on targeted ESXi servers.(Citation: Mandiant Pulse Secure Update May 2021)
.004 Indicator Removal: File Deletion

APT5 has deleted scripts and web shells to evade detection.(Citation: Mandiant Pulse Secure Zero-Day April 2021)(Citation: Mandiant Pulse Secure Update May 2021)

.006 Indicator Removal: Timestomp

APT5 has modified file timestamps.(Citation: Mandiant Pulse Secure Update May 2021)

Enterprise T1056 .001 Input Capture: Keylogging

APT5 has used malware with keylogging capabilities to monitor the communications of targeted entities.(Citation: FireEye Southeast Asia Threat Landscape March 2015)(Citation: Mandiant Advanced Persistent Threats)
Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

APT5 has named exfiltration archives to mimic Windows Updates at times using filenames with a `KB.zip` pattern.(Citation: Mandiant Pulse Secure Update May 2021)
Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

APT5 has used the Task Manager process to target LSASS process memory in order to obtain NTLM password hashes. APT5 has also dumped clear text passwords and hashes from memory using Mimikatz hosted through an RDP mapped drive.(Citation: Mandiant Pulse Secure Update May 2021)
.002 OS Credential Dumping: Security Account Manager

APT5 has copied and exfiltrated the SAM Registry hive from targeted systems.(Citation: Mandiant Pulse Secure Update May 2021)

Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

APT5 has moved laterally throughout victim environments using RDP.(Citation: Mandiant Pulse Secure Update May 2021)
.004 Remote Services: SSH

APT5 has used SSH for lateral movement in compromised environments including for enabling access to ESXi host servers.(Citation: Mandiant Pulse Secure Update May 2021)

Enterprise T1053 .003 Scheduled Task/Job: Cron

APT5 has made modifications to the crontab file including in `/var/cron/tabs/`.(Citation: NSA APT5 Citrix Threat Hunting December 2022)
Enterprise T1505 .003 Server Software Component: Web Shell

APT5 has installed multiple web shells on compromised servers including on Pulse Secure VPN appliances.(Citation: Mandiant Pulse Secure Zero-Day April 2021)(Citation: Mandiant Pulse Secure Update May 2021)
Enterprise T1078 .002 Valid Accounts: Domain Accounts

APT5 has used legitimate account credentials to move laterally through compromised environments.(Citation: Mandiant Pulse Secure Zero-Day April 2021)
.004 Valid Accounts: Cloud Accounts

APT5 has accessed Microsoft M365 cloud environments using stolen credentials. (Citation: Mandiant Pulse Secure Update May 2021)

Software
ID Name References Techniques
S0039 Net (Citation: Mandiant Pulse Secure Update May 2021) (Citation: Microsoft Net Utility) (Citation: Savill 1999) Password Policy Discovery, Domain Groups, System Time Discovery, Domain Account, Local Account, System Service Discovery, Remote System Discovery, Network Share Discovery, System Network Connections Discovery, Network Share Connection Removal, Service Execution, Local Account, Additional Local or Domain Groups, Local Groups, SMB/Windows Admin Shares, Domain Account
S0057 Tasklist (Citation: Mandiant Pulse Secure Update May 2021) (Citation: Microsoft Tasklist) Process Discovery, System Service Discovery, Security Software Discovery
S1050 PcShare (Citation: Bitdefender FunnyDream Campaign November 2020) (Citation: GitHub PcShare 2014) (Citation: Secureworks BRONZE FLEETWOOD Profile) Match Legitimate Name or Location, Web Protocols, Process Discovery, Screen Capture, System Network Configuration Discovery, Windows Command Shell, Encrypted/Encoded File, Component Object Model Hijacking, Keylogging, Data from Local System, Rundll32, Deobfuscate/Decode Files or Information, Query Registry, File Deletion, Exfiltration Over C2 Channel, Invalid Code Signature, Modify Registry, Native API, Process Injection, Video Capture
S0104 netstat (Citation: Mandiant Pulse Secure Update May 2021) (Citation: TechNet Netstat) System Network Connections Discovery
S1109 PACEMAKER (Citation: Mandiant Pulse Secure Zero-Day April 2021) Proc Filesystem, Ptrace System Calls, Automated Collection, Unix Shell, File and Directory Discovery, Local Data Staging
S1113 RAPIDPULSE (Citation: Mandiant Pulse Secure Update May 2021) Deobfuscate/Decode Files or Information, Data from Local System, Web Shell, Encrypted/Encoded File
S0032 gh0st RAT (Citation: Arbor Musical Chairs Feb 2018) (Citation: FireEye Hacking Team) (Citation: Moudoor) (Citation: Mydoor) (Citation: Nccgroup Gh0st April 2018) (Citation: Novetta-Axiom) (Citation: Secureworks BRONZE FLEETWOOD Profile) Shared Modules, Modify Registry, Ingress Tool Transfer, Process Injection, Rundll32, Service Execution, DLL Side-Loading, Command and Scripting Interpreter, Query Registry, Deobfuscate/Decode Files or Information, Symmetric Cryptography, Non-Application Layer Protocol, Native API, Process Discovery, Windows Service, Registry Run Keys / Startup Folder, Clear Windows Event Logs, System Information Discovery, File Deletion, Screen Capture, Fast Flux DNS, Keylogging, Standard Encoding, Encrypted Channel
S0007 Skeleton Key (Citation: Dell Skeleton) (Citation: Secureworks BRONZE FLEETWOOD Profile) Domain Controller Authentication
S1108 PULSECHECK (Citation: Mandiant Pulse Secure Zero-Day April 2021) Web Protocols, Unix Shell, Web Shell, Standard Encoding
S0002 Mimikatz (Citation: Adsecurity Mimikatz Guide) (Citation: Deply Mimikatz) (Citation: Mandiant Pulse Secure Update May 2021) DCSync, Credentials from Password Stores, Rogue Domain Controller, Private Keys, SID-History Injection, Security Support Provider, Pass the Hash, Account Manipulation, Pass the Ticket, Credentials from Web Browsers, Golden Ticket, Security Account Manager, LSASS Memory, Silver Ticket, Windows Credential Manager, Steal or Forge Authentication Certificates, LSA Secrets
S0012 PoisonIvy (Citation: Breut) (Citation: Darkmoon) (Citation: FireEye Poison Ivy) (Citation: Mandiant Advanced Persistent Threats) (Citation: Novetta-Axiom) (Citation: Poison Ivy) (Citation: Symantec Darkmoon Aug 2005) (Citation: Symantec Darkmoon Sept 2014) (Citation: Symantec Elderwood Sept 2012) Windows Service, Modify Registry, Uncommonly Used Port, Registry Run Keys / Startup Folder, Obfuscated Files or Information, Keylogging, Active Setup, Mutual Exclusion, Dynamic-link Library Injection, Local Data Staging, Windows Command Shell, Ingress Tool Transfer, Symmetric Cryptography, Data from Local System, Application Window Discovery, Rootkit
S1110 SLIGHTPULSE (Citation: Mandiant Pulse Secure Update May 2021) (Citation: Mandiant Pulse Secure Zero-Day April 2021) Local Data Staging, Standard Encoding, Web Shell, Ingress Tool Transfer, Deobfuscate/Decode Files or Information, Data from Local System, Command and Scripting Interpreter, Web Protocols, Symmetric Cryptography
S1104 SLOWPULSE (Citation: Mandiant Pulse Secure Zero-Day April 2021) Network Device Authentication, Multi-Factor Authentication Interception, Multi-Factor Authentication, Local Data Staging, Compromise Host Software Binary, Obfuscated Files or Information

References

  1. Perez, D. et al. (2021, May 27). Re-Checking Your Pulse: Updates on Chinese APT Actors Compromising Pulse Secure VPN Devices. Retrieved February 5, 2024.
  2. Mandiant. (n.d.). Advanced Persistent Threats (APTs). Retrieved February 14, 2024.
  3. Secureworks CTU. (n.d.). BRONZE FLEETWOOD. Retrieved February 5, 2024.
  4. Perez, D. et al. (2021, April 20). Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day. Retrieved February 5, 2024.
  5. FireEye. (2015, March). SOUTHEAST ASIA: AN EVOLVING CYBER THREAT LANDSCAPE. Retrieved February 5, 2024.
  6. National Security Agency. (2022, December). APT5: Citrix ADC Threat Hunting Guidance. Retrieved February 5, 2024.
  7. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
  8. Microsoft Threat Intelligence. (2023, September). Digital threats from East Asia increase in breadth and effectiveness. Retrieved February 5, 2024.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.