- Google GTIG Uncovers UNC6508, a PRC-Linked Group Exploiting REDCap Servers with Custom INFINITERED Malware
- Attackers stole credentials, exfiltrated sensitive data via rigged compliance rules and hid for over a year
- Gmail accounts linked to campaign disabled; administrators are encouraged to enforce phishing-resistant MFA, device-bound sessions, and advanced protection
For more than a year, Chinese state-sponsored threat actors have been lurking on the servers of North American academic, medical and military research organizations, deploying custom malware and exfiltrating sensitive files, experts have warned.
The Google Threat Intelligence Group (GTIG) published a new report detailing the recent works of UNC6508, a threat actor in the People’s Republic of China (PRC), who allegedly managed to exploit externally facing Research Electronic Data Capture (REDCap) servers to deploy a custom piece of malware called INFINITERED.
Through this malware, they stole login credentials to access the servers’ content and remain undetected for more than a year. They then moved laterally through the network and exfiltrated sensitive data using a new technique to manipulate domain content compliance rules.
“Patroit”
Google says that content compliance rules are a “legitimate feature found in many cloud-based enterprise productivity suites”. Using administrator accounts, the attackers created specific rules to manage email messages that contained matching predefined sets of words, phrases, and text patterns.
They called the rule “Patroit” and tasked it with BCC forwarding certain emails to actor-controlled Gmail addresses.
Google has since disabled the Gmail accounts associated with this threat actor and this campaign.
In the blog, the researchers provided a fairly comprehensive list of things administrators should do to ensure they are safe from UNC6508 and similar actors, including enforcing phishing-resistant 2-factor authentication, enrolling highly sensitive accounts in the Advanced Protection Program, and enforcing Device Bound Session Credentials to prevent the highly sensitive cookie account with the CAA account.
“The campaign targeted a variety of national, state and private medical entities,” Google stressed. “These organizations include world-renowned clinical providers, leading academic centers, North American military health institutions, professional advocacy groups and health regulatory bodies.”
“Their research areas span a broad spectrum of modern medicine, from molecular discovery and clinical drug trials to state-level public health policy and military preparedness. They employ thousands of people with a combined research budget in the billions of dollars.”
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
