揭开九头蛇的真面目：曝光中国政府支持的针对外国政府的多头行动.pdf

《揭开九头蛇的真面目：曝光中国政府支持的针对外国政府的多头行动.pdf》由会员分享，可在线阅读，更多相关《揭开九头蛇的真面目：曝光中国政府支持的针对外国政府的多头行动.pdf（66页珍藏版）》请在三个皮匠报告上搜索。

1、#BHUSA BlackHatEventsUnveiling a Multi-Headed Chinese State-Sponsored Campaign Against a Foreign GovernmentSpeakers:Mark Parsons&Morgan DemboskiSurfacing a HydraSurfacing a HydraImage:Taylor JamesIntroductionsMorgan DemboskiThreat Intelligence AnalystWashington,DCMorgan_Demboski Mark ParsonsSenior T

2、hreat HunterCharleston,South Carolina,USAsecurity_dumpster_mcp_ l2TLP:GREEN3 Two-stage campaign Multiple active&coordinated groups Broad targeting of critical organizations in SE Asia3A years-long cyberespionagecampaign tracked by Sophos MDR,attributed to Chinese state-sponsored actorsBRAVOCHARLIEAL

3、PHAOperation Crimson Palace:Stage 1TLP:GREENCluster Charlie Returns&Cluster Bravo Expands:Stage 2Cluster Analysis&Assessing OverlapC2 Gap AnalysisBackgroundBackgroundSPADE ToolTakeawaysTakeaways&Q&Q&A&AAgenda4Operation Crimson Palace:Stage 1Operation Crimson Palace:Stage 1Operation Crimson Palace:St

4、age 2Operation Crimson Palace:Stage 2Background5VictimologySE Asian government organizationoCampaign later expanded to other critical organizations in the regionoHistory of conflict with China over South China Sea(SCS)6Source:Xmultiverse_orgImmediate ChallengesOnboarded with existing long-term breac

5、hoRelated activitydating back to early 2022Lack of full visibility/MDR deployed to a subset of the estateIf we cant take mitigation actions If we cant take mitigation actions directly,directly,what can we as defenders do to make the most of the situation?7Source:David TrussInitial Triage8How did it

6、start?vmnat.exeExecution ContextHost:Office 365 Integrations ServerPath:C:ProgramDataMicrosoftVaultvmnat.exepowershell.exe154.39.137.29SophosUD.exe(PowHeartBeat)cmd.exe443|%echo(new-object Net.Sockets.TcpClient).Connect(www.msudapis.info,$_)$_ is open!2$nullSslwnd64.exe(PhantomNet)PowerShell TCP Cli