Chinese Hackers Breach US Firm, Maintain Network Access for Months

Category	Details
Threat Actors	Chinese state-sponsored groups: Daggerfly (aka BRONZE HIGHLAND, StormCloud, Evasive Panda) and Crimson Palace.
Campaign Overview	Long-term network access (at least four months) to a major U.S. company, targeting Exchange Servers for email harvesting and intelligence gathering.
Target Regions	A major U.S. company with operations in China; previous campaigns targeted South Asia (Crimson Palace) and U.S. telecommunication companies (Salt Typhoon).
Methodology	DLL sideloading, exploitation of Google and Apple software, and usage of open-source tools like Impacket and FileZilla.
Product Targeted	Exchange Servers, email data, and other sensitive organizational information.
Malware Reference	Malicious file textinputhost.dat linked to Crimson Palace.
Tools Used	Impacket (network protocol manipulation), FileZilla (FTP client), DLL sideloading with legitimate apps.
Vulnerabilities Exploited	Exploitation of Google and Apple software; potential weaknesses in email server security.
TTPs	Persistence through DLL sideloading, strategic targeting of email data for intelligence, usage of legitimate and open-source tools for lateral movement within the network.
Attribution	Linked to Chinese APT groups Daggerfly and Crimson Palace; techniques align with previously documented campaigns.
Recommendations	– Strengthen email security systems. – Continuous network monitoring for unusual activity. – Implement detection mechanisms for DLL sideloading and tool misuse.
Source	Symantec, cybersecurity insights by Stephen Kowski.

Read full article: https://hackread.com/chinese-hackers-breach-us-firm-network-for-months/

Disclaimer: The above summary has been generated by an AI language model