HAFNIUM primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures. HAFNIUM has previously compromised victims by exploiting vulnerabilities in internet-facing servers, and has used legitimate open-source frameworks, like Covenant, for command and control. Once they’ve gained access to a victim network, HAFNIUM typically exfiltrates data to file sharing sites like MEGA.In campaigns unrelated to these vulnerabilities, Microsoft has observed HAFNIUM interacting with victim Office 365 tenants. While they are often unsuccessful in compromising customer accounts, this reconnaissance activity helps the adversary identify more details about their targets’ environments. HAFNIUM operates primarily from leased virtual private servers (VPS) in the United States.
2023-06-16 ⋅ Palo Alto Networks: Cortex Threat Research ⋅ Lior Rochberger
@online{rochberger:20230616:through:5ef09b8,
author = {Lior Rochberger},
title = {{Through the Cortex XDR Lens: Uncovering a New Activity Group Targeting Governments in the Middle East and Africa}},
date = {2023-06-16},
organization = {Palo Alto Networks: Cortex Threat Research},
url = {https://www.paloaltonetworks.com/blog/security-operations/through-the-cortex-xdr-lens-uncovering-a-new-activity-group-targeting-governments-in-the-middle-east-and-africa/},
language = {English},
urldate = {2023-06-22}
}
Through the Cortex XDR Lens: Uncovering a New Activity Group Targeting Governments in the Middle East and Africa
CHINACHOPPER Ladon Yasso |
2022-09-29 ⋅ Symantec ⋅ Threat Hunter Team
@online{team:20220929:witchetty:628f1c4,
author = {Threat Hunter Team},
title = {{Witchetty: Group Uses Updated Toolset in Attacks on Governments in Middle East}},
date = {2022-09-29},
organization = {Symantec},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/witchetty-steganography-espionage},
language = {English},
urldate = {2022-09-30}
}
Witchetty: Group Uses Updated Toolset in Attacks on Governments in Middle East
CHINACHOPPER Lookback MimiKatz PlugX Unidentified 096 (Keylogger) x4 |
2022-07-26 ⋅ Microsoft ⋅ Microsoft 365 Defender Research Team
@online{team:20220726:malicious:ff5f5c0,
author = {Microsoft 365 Defender Research Team},
title = {{Malicious IIS extensions quietly open persistent backdoors into servers}},
date = {2022-07-26},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/},
language = {English},
urldate = {2022-07-28}
}
Malicious IIS extensions quietly open persistent backdoors into servers
CHINACHOPPER MimiKatz |
2022-07-18 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42
@online{42:20220718:iron:f7586c5,
author = {Unit 42},
title = {{Iron Taurus}},
date = {2022-07-18},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/atoms/iron-taurus/},
language = {English},
urldate = {2022-07-29}
}
Iron Taurus
CHINACHOPPER Ghost RAT Wonknu ZXShell APT27 |
2022-06-15 ⋅ Security Joes ⋅ Charles Lomboni, Venkat Rajgor, Felipe Duarte
@techreport{lomboni:20220615:backdoor:8d43d9e,
author = {Charles Lomboni and Venkat Rajgor and Felipe Duarte},
title = {{Backdoor via XFF: Mysterious Threat Actor Under Radar}},
date = {2022-06-15},
institution = {Security Joes},
url = {https://secjoes-reports.s3.eu-central-1.amazonaws.com/Backdoor%2Bvia%2BXFF%2BMysterious%2BThreat%2BActor%2BUnder%2BRadar.pdf},
language = {English},
urldate = {2022-06-16}
}
Backdoor via XFF: Mysterious Threat Actor Under Radar
CHINACHOPPER |
2022-04-28 ⋅ PWC ⋅ PWC UK
@techreport{uk:20220428:cyber:46707aa,
author = {PWC UK},
title = {{Cyber Threats 2021: A Year in Retrospect}},
date = {2022-04-28},
institution = {PWC},
url = {https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf},
language = {English},
urldate = {2023-07-02}
}
Cyber Threats 2021: A Year in Retrospect
BPFDoor APT15 APT31 APT41 APT9 BlackTech BRONZE EDGEWOOD DAGGER PANDA Earth Lusca HAFNIUM HAZY TIGER Inception Framework LOTUS PANDA QUILTED TIGER RedAlpha Red Dev 17 Red Menshen Red Nue VICEROY TIGER |
2022-01-27 ⋅ JSAC 2021 ⋅ Hajime Yanagishita, Kiyotaka Tamada, You Nakatsuru, Suguru Ishimaru
@techreport{yanagishita:20220127:what:3c59dc9,
author = {Hajime Yanagishita and Kiyotaka Tamada and You Nakatsuru and Suguru Ishimaru},
title = {{What We Can Do against the Chaotic A41APT Campaign}},
date = {2022-01-27},
institution = {JSAC 2021},
url = {https://jsac.jpcert.or.jp/archive/2022/pdf/JSAC2022_9_yanagishita-tamada-nakatsuru-ishimaru_en.pdf},
language = {English},
urldate = {2022-05-17}
}
What We Can Do against the Chaotic A41APT Campaign
CHINACHOPPER Cobalt Strike HUI Loader SodaMaster |
2021-11-03 ⋅ Cisco Talos ⋅ Chetan Raghuprasad, Vanja Svajcer, Caitlin Huey
@online{raghuprasad:20211103:microsoft:2b6de43,
author = {Chetan Raghuprasad and Vanja Svajcer and Caitlin Huey},
title = {{Microsoft Exchange vulnerabilities exploited once again for ransomware, this time with Babuk}},
date = {2021-11-03},
organization = {Cisco Talos},
url = {https://blog.talosintelligence.com/2021/11/babuk-exploits-exchange.html},
language = {English},
urldate = {2021-11-03}
}
Microsoft Exchange vulnerabilities exploited once again for ransomware, this time with Babuk
Babuk CHINACHOPPER |
2021-10-07 ⋅ Microsoft ⋅ Microsoft
@online{microsoft:20211007:microsoft:793e473,
author = {Microsoft},
title = {{Microsoft Digital Defense Report - October 2021}},
date = {2021-10-07},
organization = {Microsoft},
url = {https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWMFIi},
language = {English},
urldate = {2021-10-11}
}
Microsoft Digital Defense Report - October 2021
APT15 APT31 APT40 APT5 Earth Lusca HAFNIUM |
2021-09-03 ⋅ FireEye ⋅ Adrian Sanchez Hernandez, Govand Sinjari, Joshua Goddard, Brendan McKeague, John Wolfram, Alex Pennino, Andrew Rector, Harris Ansari, Yash Gupta
@online{hernandez:20210903:pst:a8de902,
author = {Adrian Sanchez Hernandez and Govand Sinjari and Joshua Goddard and Brendan McKeague and John Wolfram and Alex Pennino and Andrew Rector and Harris Ansari and Yash Gupta},
title = {{PST, Want a Shell? ProxyShell Exploiting Microsoft Exchange Servers}},
date = {2021-09-03},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2021/09/proxyshell-exploiting-microsoft-exchange-servers.html},
language = {English},
urldate = {2021-09-06}
}
PST, Want a Shell? ProxyShell Exploiting Microsoft Exchange Servers
CHINACHOPPER HTran |
2021-08-03 ⋅ Cybereason ⋅ Assaf Dahan, Lior Rochberger, Daniel Frank, Tom Fakterman
@online{dahan:20210803:deadringer:908e8d5,
author = {Assaf Dahan and Lior Rochberger and Daniel Frank and Tom Fakterman},
title = {{DeadRinger: Exposing Chinese Threat Actors Targeting Major Telcos}},
date = {2021-08-03},
organization = {Cybereason},
url = {https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos},
language = {English},
urldate = {2021-08-06}
}
DeadRinger: Exposing Chinese Threat Actors Targeting Major Telcos
CHINACHOPPER Cobalt Strike MimiKatz Nebulae |
2021-07-20 ⋅ RNZ
@online{rnz:20210720:government:92d39e8,
author = {RNZ},
title = {{Government points finger at China over cyber attacks}},
date = {2021-07-20},
url = {https://www.rnz.co.nz/news/political/447239/government-points-finger-at-china-over-cyber-attacks},
language = {English},
urldate = {2021-07-22}
}
Government points finger at China over cyber attacks
APT40 HAFNIUM |
2021-07-20 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam
@online{researchteam:20210720:ongoing:1e6dbd0,
author = {Counter Threat Unit ResearchTeam},
title = {{Ongoing Campaign Leveraging Exchange Vulnerability Potentially Linked to Iran}},
date = {2021-07-20},
organization = {Secureworks},
url = {https://www.secureworks.com/blog/ongoing-campaign-leveraging-exchange-vulnerability-potentially-linked-to-iran},
language = {English},
urldate = {2021-07-26}
}
Ongoing Campaign Leveraging Exchange Vulnerability Potentially Linked to Iran
CHINACHOPPER MimiKatz RGDoor |
2021-07-19 ⋅ Minister for Foreign Affairs of Australia ⋅ Karen Andrews, Peter Dutton
@online{andrews:20210719:australia:8ca5b16,
author = {Karen Andrews and Peter Dutton},
title = {{Australia joins international partners in attribution of malicious cyber activity to China}},
date = {2021-07-19},
organization = {Minister for Foreign Affairs of Australia},
url = {https://www.foreignminister.gov.au/minister/marise-payne/media-release/australia-joins-international-partners-attribution-malicious-cyber-activity-china},
language = {English},
urldate = {2021-07-22}
}
Australia joins international partners in attribution of malicious cyber activity to China
APT31 APT40 HAFNIUM |
2021-07-19 ⋅ GOV.UK ⋅ NCSC UK, Dominic Raab
@online{uk:20210719:uk:9674820,
author = {NCSC UK and Dominic Raab},
title = {{UK and allies hold Chinese state responsible for a pervasive pattern of hacking}},
date = {2021-07-19},
organization = {GOV.UK},
url = {https://www.gov.uk/government/news/uk-and-allies-hold-chinese-state-responsible-for-a-pervasive-pattern-of-hacking},
language = {English},
urldate = {2021-07-22}
}
UK and allies hold Chinese state responsible for a pervasive pattern of hacking
APT31 APT40 HAFNIUM |
2021-06-10 ⋅ ESET Research ⋅ Adam Burgher
@online{burgher:20210610:backdoordiplomacy:4ebcb1d,
author = {Adam Burgher},
title = {{BackdoorDiplomacy: Upgrading from Quarian to Turian}},
date = {2021-06-10},
organization = {ESET Research},
url = {https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/},
language = {English},
urldate = {2022-06-08}
}
BackdoorDiplomacy: Upgrading from Quarian to Turian
CHINACHOPPER DoublePulsar EternalRocks turian BackdoorDiplomacy |
2021-05-07 ⋅ SophosLabs Uncut ⋅ Rajesh Nataraj
@online{nataraj:20210507:new:79ec788,
author = {Rajesh Nataraj},
title = {{New Lemon Duck variants exploiting Microsoft Exchange Server}},
date = {2021-05-07},
organization = {SophosLabs Uncut},
url = {https://news.sophos.com/en-us/2021/05/07/new-lemon-duck-variants-exploiting-microsoft-exchange-server/?cmp=30728},
language = {English},
urldate = {2022-02-16}
}
New Lemon Duck variants exploiting Microsoft Exchange Server
CHINACHOPPER Cobalt Strike Lemon Duck |
2021-05-07 ⋅ Cisco Talos ⋅ Caitlin Huey, Andrew Windsor, Edmund Brumaghin
@online{huey:20210507:lemon:0d46f81,
author = {Caitlin Huey and Andrew Windsor and Edmund Brumaghin},
title = {{Lemon Duck spreads its wings: Actors target Microsoft Exchange servers, incorporate new TTPs}},
date = {2021-05-07},
organization = {Cisco Talos},
url = {https://blog.talosintelligence.com/2021/05/lemon-duck-spreads-wings.html},
language = {English},
urldate = {2022-02-16}
}
Lemon Duck spreads its wings: Actors target Microsoft Exchange servers, incorporate new TTPs
CHINACHOPPER Cobalt Strike Lemon Duck |
2021-05-06 ⋅ Trend Micro ⋅ Arianne Dela Cruz, Cris Tomboc, Jayson Chong, Nikki Madayag, Sean Torre
@online{cruz:20210506:proxylogon:4920ee4,
author = {Arianne Dela Cruz and Cris Tomboc and Jayson Chong and Nikki Madayag and Sean Torre},
title = {{Proxylogon: A Coinminer, a Ransomware, and a Botnet Join the Party}},
date = {2021-05-06},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/21/e/proxylogon-a-coinminer--a-ransomware--and-a-botnet-join-the-part.html},
language = {English},
urldate = {2022-02-17}
}
Proxylogon: A Coinminer, a Ransomware, and a Botnet Join the Party
BlackKingdom Ransomware CHINACHOPPER Lemon Duck Prometei |
2021-05-05 ⋅ Symantec ⋅ Threat Hunter Team
@online{team:20210505:multifactor:8834ab8,
author = {Threat Hunter Team},
title = {{Multi-Factor Authentication: Headache for Cyber Actors Inspires New Attack Techniques}},
date = {2021-05-05},
organization = {Symantec},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/multi-factor-authentication-new-attacks},
language = {English},
urldate = {2021-05-26}
}
Multi-Factor Authentication: Headache for Cyber Actors Inspires New Attack Techniques
CHINACHOPPER |
2021-04-27 ⋅ Trend Micro ⋅ Janus Agcaoili
@online{agcaoili:20210427:hello:b3c5de5,
author = {Janus Agcaoili},
title = {{Hello Ransomware Uses Updated China Chopper Web Shell, SharePoint Vulnerability}},
date = {2021-04-27},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/21/d/hello-ransomware-uses-updated-china-chopper-web-shell-sharepoint-vulnerability.html},
language = {English},
urldate = {2021-04-29}
}
Hello Ransomware Uses Updated China Chopper Web Shell, SharePoint Vulnerability
CHINACHOPPER Cobalt Strike |
2021-04-16 ⋅ Trend Micro ⋅ Nitesh Surana
@online{surana:20210416:could:bb769ca,
author = {Nitesh Surana},
title = {{Could the Microsoft Exchange breach be stopped?}},
date = {2021-04-16},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/21/d/could-the-microsoft-exchange-breach-be-stopped.html},
language = {English},
urldate = {2021-05-11}
}
Could the Microsoft Exchange breach be stopped?
CHINACHOPPER |
2021-04-15 ⋅ Palo Alto Networks Unit 42 ⋅ Robert Falcone
@online{falcone:20210415:actor:8428e3f,
author = {Robert Falcone},
title = {{Actor Exploits Microsoft Exchange Server Vulnerabilities, Cortex XDR Blocks Harvesting of Credentials}},
date = {2021-04-15},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/exchange-server-credential-harvesting/},
language = {English},
urldate = {2021-04-19}
}
Actor Exploits Microsoft Exchange Server Vulnerabilities, Cortex XDR Blocks Harvesting of Credentials
CHINACHOPPER |
2021-03-26 ⋅ Imperva ⋅ Daniel Johnston
@online{johnston:20210326:imperva:a78367a,
author = {Daniel Johnston},
title = {{Imperva Observes Hive of Activity Following Hafnium Microsoft Exchange Disclosures}},
date = {2021-03-26},
organization = {Imperva},
url = {https://www.imperva.com/blog/imperva-observes-hive-of-activity-following-hafnium-microsoft-exchange-disclosures/},
language = {English},
urldate = {2021-03-30}
}
Imperva Observes Hive of Activity Following Hafnium Microsoft Exchange Disclosures
CHINACHOPPER |
2021-03-25 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team
@online{team:20210325:analyzing:d9ddef0,
author = {Microsoft 365 Defender Threat Intelligence Team},
title = {{Analyzing attacks taking advantage of the Exchange Server vulnerabilities}},
date = {2021-03-25},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2021/03/25/analyzing-attacks-taking-advantage-of-the-exchange-server-vulnerabilities/},
language = {English},
urldate = {2021-03-30}
}
Analyzing attacks taking advantage of the Exchange Server vulnerabilities
CHINACHOPPER |
2021-03-25 ⋅ Microsoft ⋅ Tom McElroy
@online{mcelroy:20210325:web:38010a7,
author = {Tom McElroy},
title = {{Web Shell Threat Hunting with Azure Sentinel}},
date = {2021-03-25},
organization = {Microsoft},
url = {https://techcommunity.microsoft.com/t5/azure-sentinel/web-shell-threat-hunting-with-azure-sentinel/ba-p/2234968},
language = {English},
urldate = {2021-03-30}
}
Web Shell Threat Hunting with Azure Sentinel
CHINACHOPPER |
2021-03-21 ⋅ Twitter (@CyberRaiju) ⋅ Jai Minton
@online{minton:20210321:twitter:8e65e84,
author = {Jai Minton},
title = {{Twitter Thread with analysis of .NET China Chopper}},
date = {2021-03-21},
organization = {Twitter (@CyberRaiju)},
url = {https://twitter.com/CyberRaiju/status/1373582619707867136},
language = {English},
urldate = {2023-09-11}
}
Twitter Thread with analysis of .NET China Chopper
CHINACHOPPER |
2021-03-19 ⋅ Bundesamt für Sicherheit in der Informationstechnik ⋅ CERT-Bund
@techreport{certbund:20210319:microsoft:beb2409,
author = {CERT-Bund},
title = {{Microsoft Exchange Schwachstellen Detektion und Reaktion (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065)}},
date = {2021-03-19},
institution = {Bundesamt für Sicherheit in der Informationstechnik},
url = {https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Cyber-Sicherheit/Vorfaelle/Exchange-Schwachstellen-2021/MSExchange_Schwachstelle_Detektion_Reaktion.pdf},
language = {English},
urldate = {2021-03-22}
}
Microsoft Exchange Schwachstellen Detektion und Reaktion (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065)
CHINACHOPPER MimiKatz |
2021-03-15 ⋅ Trustwave ⋅ Joshua Deacon
@online{deacon:20210315:hafnium:02beddd,
author = {Joshua Deacon},
title = {{HAFNIUM, China Chopper and ASP.NET Runtime}},
date = {2021-03-15},
organization = {Trustwave},
url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/hafnium-china-chopper-and-aspnet-runtime/},
language = {English},
urldate = {2021-03-22}
}
HAFNIUM, China Chopper and ASP.NET Runtime
CHINACHOPPER |
2021-03-14 ⋅ DAILY BEAST ⋅ Matthew Brazil
@online{brazil:20210314:how:5fcb8be,
author = {Matthew Brazil},
title = {{How China’s Devastating Microsoft Hack Puts Us All at Risk}},
date = {2021-03-14},
organization = {DAILY BEAST},
url = {https://www.thedailybeast.com/how-chinas-devastating-microsoft-hack-puts-us-all-at-risk},
language = {English},
urldate = {2021-03-31}
}
How China’s Devastating Microsoft Hack Puts Us All at Risk
HAFNIUM |
2021-03-11 ⋅ Cyborg Security ⋅ Josh Campbell
@online{campbell:20210311:you:7bd2342,
author = {Josh Campbell},
title = {{You Don't Know the HAFNIUM of it...}},
date = {2021-03-11},
organization = {Cyborg Security},
url = {https://www.cyborgsecurity.com/blog/you-dont-know-the-hafnium-of-it/},
language = {English},
urldate = {2021-03-16}
}
You Don't Know the HAFNIUM of it...
CHINACHOPPER Cobalt Strike PowerCat |
2021-03-11 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42
@online{42:20210311:microsoft:c51c694,
author = {Unit 42},
title = {{Microsoft Exchange Server Attack Timeline}},
date = {2021-03-11},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/microsoft-exchange-server-attack-timeline/},
language = {English},
urldate = {2021-03-12}
}
Microsoft Exchange Server Attack Timeline
CHINACHOPPER |
2021-03-11 ⋅ DEVO ⋅ Fran Gomez
@online{gomez:20210311:detection:e16ec1f,
author = {Fran Gomez},
title = {{Detection and Investigation Using Devo: HAFNIUM 0-day Exploits on Microsoft Exchange Service}},
date = {2021-03-11},
organization = {DEVO},
url = {https://www.devo.com/blog/detect-and-investigate-hafnium-using-devo/},
language = {English},
urldate = {2021-03-12}
}
Detection and Investigation Using Devo: HAFNIUM 0-day Exploits on Microsoft Exchange Service
CHINACHOPPER MimiKatz |
2021-03-10 ⋅ Lemon's InfoSec Ramblings ⋅ Josh Lemon
@online{lemon:20210310:microsoft:47b2c67,
author = {Josh Lemon},
title = {{Microsoft Exchange & the HAFNIUM Threat Actor}},
date = {2021-03-10},
organization = {Lemon's InfoSec Ramblings},
url = {https://blog.joshlemon.com.au/hafnium-exchange-attacks/},
language = {English},
urldate = {2021-03-11}
}
Microsoft Exchange & the HAFNIUM Threat Actor
CHINACHOPPER |
2021-03-10 ⋅ PICUS Security ⋅ Süleyman Özarslan
@online{zarslan:20210310:tactics:702eb34,
author = {Süleyman Özarslan},
title = {{Tactics, Techniques, and Procedures (TTPs) Used by HAFNIUM to Target Microsoft Exchange Servers}},
date = {2021-03-10},
organization = {PICUS Security},
url = {https://www.picussecurity.com/resource/blog/ttps-hafnium-microsoft-exchange-servers},
language = {English},
urldate = {2021-03-16}
}
Tactics, Techniques, and Procedures (TTPs) Used by HAFNIUM to Target Microsoft Exchange Servers
CHINACHOPPER |
2021-03-10 ⋅ DomainTools ⋅ Joe Slowik
@online{slowik:20210310:examining:e3eee78,
author = {Joe Slowik},
title = {{Examining Exchange Exploitation and its Lessons for Defenders}},
date = {2021-03-10},
organization = {DomainTools},
url = {https://www.domaintools.com/resources/blog/examining-exchange-exploitation-and-its-lessons-for-defenders},
language = {English},
urldate = {2021-03-12}
}
Examining Exchange Exploitation and its Lessons for Defenders
CHINACHOPPER |
2021-03-09 ⋅ PRAETORIAN ⋅ Anthony Weems, Dallas Kaman, Michael Weber
@online{weems:20210309:reproducing:6c6302c,
author = {Anthony Weems and Dallas Kaman and Michael Weber},
title = {{Reproducing the Microsoft Exchange Proxylogon Exploit Chain}},
date = {2021-03-09},
organization = {PRAETORIAN},
url = {https://www.praetorian.com/blog/reproducing-proxylogon-exploit/},
language = {English},
urldate = {2021-03-11}
}
Reproducing the Microsoft Exchange Proxylogon Exploit Chain
CHINACHOPPER |
2021-03-09 ⋅ Red Canary ⋅ Tony Lambert, Brian Donohue, Katie Nickels
@online{lambert:20210309:microsoft:6a37334,
author = {Tony Lambert and Brian Donohue and Katie Nickels},
title = {{Microsoft Exchange server exploitation: how to detect, mitigate, and stay calm}},
date = {2021-03-09},
organization = {Red Canary},
url = {https://redcanary.com/blog/microsoft-exchange-attacks},
language = {English},
urldate = {2021-03-11}
}
Microsoft Exchange server exploitation: how to detect, mitigate, and stay calm
CHINACHOPPER |
2021-03-09 ⋅ Microsoft ⋅ MSRC Team
@online{team:20210309:microsoft:3e03bbf,
author = {MSRC Team},
title = {{Microsoft Exchange Server Vulnerabilities Mitigations – updated March 9, 2021}},
date = {2021-03-09},
organization = {Microsoft},
url = {https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021},
language = {English},
urldate = {2021-03-10}
}
Microsoft Exchange Server Vulnerabilities Mitigations – updated March 9, 2021
HAFNIUM |
2021-03-09 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42
@online{42:20210309:remediation:4973903,
author = {Unit 42},
title = {{Remediation Steps for the Microsoft Exchange Server Vulnerabilities}},
date = {2021-03-09},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/remediation-steps-for-the-Microsoft-Exchange-Server-vulnerabilities/},
language = {English},
urldate = {2021-03-11}
}
Remediation Steps for the Microsoft Exchange Server Vulnerabilities
CHINACHOPPER |
2021-03-09 ⋅ YouTube (John Hammond) ⋅ John Hammond
@online{hammond:20210309:hafnium:dc2de8d,
author = {John Hammond},
title = {{HAFNIUM - Post-Exploitation Analysis from Microsoft Exchange}},
date = {2021-03-09},
organization = {YouTube (John Hammond)},
url = {https://www.youtube.com/watch?v=rn-6t7OygGk},
language = {English},
urldate = {2021-03-12}
}
HAFNIUM - Post-Exploitation Analysis from Microsoft Exchange
CHINACHOPPER |
2021-03-08 ⋅ Symantec ⋅ Threat Hunter Team
@online{team:20210308:how:752e42e,
author = {Threat Hunter Team},
title = {{How Symantec Stops Microsoft Exchange Server Attacks}},
date = {2021-03-08},
organization = {Symantec},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/microsoft-exchange-server-protection},
language = {English},
urldate = {2021-03-12}
}
How Symantec Stops Microsoft Exchange Server Attacks
CHINACHOPPER MimiKatz |
2021-03-08 ⋅ Palo Alto Networks Unit 42 ⋅ Jeff White
@online{white:20210308:analyzing:9b932a3,
author = {Jeff White},
title = {{Analyzing Attacks Against Microsoft Exchange Server With China Chopper Webshells}},
date = {2021-03-08},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/china-chopper-webshell/},
language = {English},
urldate = {2021-03-11}
}
Analyzing Attacks Against Microsoft Exchange Server With China Chopper Webshells
CHINACHOPPER |
2021-03-07 ⋅ TRUESEC ⋅ Rasmus Grönlund
@online{grnlund:20210307:tracking:2d920fd,
author = {Rasmus Grönlund},
title = {{Tracking Microsoft Exchange Zero-Day ProxyLogon and HAFNIUM}},
date = {2021-03-07},
organization = {TRUESEC},
url = {https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/},
language = {English},
urldate = {2021-03-12}
}
Tracking Microsoft Exchange Zero-Day ProxyLogon and HAFNIUM
CHINACHOPPER |
2021-03-06 ⋅ Nextron Systems ⋅ THOR Lite
@online{lite:20210306:scan:f7b0dbe,
author = {THOR Lite},
title = {{Scan for HAFNIUM Exploitation Evidence with THOR Lite}},
date = {2021-03-06},
organization = {Nextron Systems},
url = {https://www.nextron-systems.com/2021/03/06/scan-for-hafnium-exploitation-evidence-with-thor-lite},
language = {English},
urldate = {2021-03-10}
}
Scan for HAFNIUM Exploitation Evidence with THOR Lite
HAFNIUM |
2021-03-06 ⋅ Github (microsoft) ⋅ Microsoft
@online{microsoft:20210306:security:7dca242,
author = {Microsoft},
title = {{Security scripts}},
date = {2021-03-06},
organization = {Github (microsoft)},
url = {https://github.com/microsoft/CSS-Exchange/tree/main/Security},
language = {English},
urldate = {2021-03-10}
}
Security scripts
HAFNIUM |
2021-03-05 ⋅ Wired ⋅ Andy Greenberg
@online{greenberg:20210305:chinese:119ea98,
author = {Andy Greenberg},
title = {{Chinese Hacking Spree Hit an ‘Astronomical’ Number of Victims}},
date = {2021-03-05},
organization = {Wired},
url = {https://www.wired.com/story/china-microsoft-exchange-server-hack-victims/},
language = {English},
urldate = {2021-03-06}
}
Chinese Hacking Spree Hit an ‘Astronomical’ Number of Victims
CHINACHOPPER |
2021-03-05 ⋅ Pastebin (MALWAREQUINN) ⋅ MalwareQuinn
@online{malwarequinn:20210305:hafnium:b517725,
author = {MalwareQuinn},
title = {{Hafnium Exchange Vuln Detection - KQL}},
date = {2021-03-05},
organization = {Pastebin (MALWAREQUINN)},
url = {https://pastebin.com/J4L3r2RS},
language = {English},
urldate = {2021-03-10}
}
Hafnium Exchange Vuln Detection - KQL
HAFNIUM |
2021-03-05 ⋅ Microsoft ⋅ Louie Mayor
@online{mayor:20210305:exchange:632ca07,
author = {Louie Mayor},
title = {{Exchange Server IIS dropping web shells and other artifacts}},
date = {2021-03-05},
organization = {Microsoft},
url = {https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Execution/exchange-iis-worker-dropping-webshell.md},
language = {English},
urldate = {2021-03-10}
}
Exchange Server IIS dropping web shells and other artifacts
HAFNIUM |
2021-03-05 ⋅ Github (cert-lv) ⋅ Andrew Konst
@online{konst:20210305:detect:a6abfa6,
author = {Andrew Konst},
title = {{Detect webshells dropped on Microsoft Exchange servers after 0day compromises}},
date = {2021-03-05},
organization = {Github (cert-lv)},
url = {https://github.com/cert-lv/exchange_webshell_detection},
language = {English},
urldate = {2021-03-10}
}
Detect webshells dropped on Microsoft Exchange servers after 0day compromises
HAFNIUM |
2021-03-05 ⋅ Huntress Labs ⋅ Huntress Labs
@techreport{labs:20210305:operation:1248e05,
author = {Huntress Labs},
title = {{Operation Exchange Marauder}},
date = {2021-03-05},
institution = {Huntress Labs},
url = {https://www.huntress.com/hubfs/Mass%20Exploitation%20of%20Microsoft%20Exchange%20(2).pdf},
language = {English},
urldate = {2021-03-06}
}
Operation Exchange Marauder
CHINACHOPPER |
2021-03-04 ⋅ CrowdStrike ⋅ The Falcon Complete Team
@online{team:20210304:falcon:6170749,
author = {The Falcon Complete Team},
title = {{Falcon Complete Stops Microsoft Exchange Server Zero-Day Exploits}},
date = {2021-03-04},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/falcon-complete-stops-microsoft-exchange-server-zero-day-exploits},
language = {English},
urldate = {2021-03-10}
}
Falcon Complete Stops Microsoft Exchange Server Zero-Day Exploits
CHINACHOPPER HAFNIUM |
2021-03-04 ⋅ Elastic ⋅ Devon Kerr
@online{kerr:20210304:detection:eb05792,
author = {Devon Kerr},
title = {{Detection and Response for HAFNIUM Activity}},
date = {2021-03-04},
organization = {Elastic},
url = {https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289},
language = {English},
urldate = {2021-03-10}
}
Detection and Response for HAFNIUM Activity
HAFNIUM |
2021-03-04 ⋅ Huntress Labs ⋅ Huntress Labs
@online{labs:20210304:operation:1187712,
author = {Huntress Labs},
title = {{Operation Exchange Marauder}},
date = {2021-03-04},
organization = {Huntress Labs},
url = {https://www.huntress.com/hubfs/Videos/Webinars/Overlay-Mass_Exploitation_of_Exchange.mp4},
language = {English},
urldate = {2021-03-06}
}
Operation Exchange Marauder
CHINACHOPPER |
2021-03-04 ⋅ FireEye ⋅ Matt Bromiley, Chris DiGiamo, Andrew Thompson, Robert Wallace
@online{bromiley:20210304:detection:3b8c16f,
author = {Matt Bromiley and Chris DiGiamo and Andrew Thompson and Robert Wallace},
title = {{Detection and Response to Exploitation of Microsoft Exchange Zero-Day Vulnerabilities}},
date = {2021-03-04},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html},
language = {English},
urldate = {2021-03-10}
}
Detection and Response to Exploitation of Microsoft Exchange Zero-Day Vulnerabilities
CHINACHOPPER HAFNIUM |
2021-03-03 ⋅ MITRE ⋅ MITRE ATT&CK
@online{attck:20210303:hafnium:e35dcb1,
author = {MITRE ATT&CK},
title = {{HAFNIUM}},
date = {2021-03-03},
organization = {MITRE},
url = {https://attack.mitre.org/groups/G0125/},
language = {English},
urldate = {2022-07-05}
}
HAFNIUM
CHINACHOPPER HAFNIUM |
2021-03-03 ⋅ Huntress Labs ⋅ Huntress Labs
@online{labs:20210303:mass:a0ef74d,
author = {Huntress Labs},
title = {{Mass exploitation of on-prem Exchange servers :(}},
date = {2021-03-03},
organization = {Huntress Labs},
url = {https://www.reddit.com/r/msp/comments/lwmo5c/mass_exploitation_of_onprem_exchange_servers},
language = {English},
urldate = {2021-03-10}
}
Mass exploitation of on-prem Exchange servers :(
CHINACHOPPER HAFNIUM |
2021-03-03 ⋅ splunk ⋅ Ryan Kovar
@online{kovar:20210303:detecting:f8ba84c,
author = {Ryan Kovar},
title = {{Detecting HAFNIUM Exchange Server Zero-Day Activity in Splunk}},
date = {2021-03-03},
organization = {splunk},
url = {https://www.splunk.com/en_us/blog/security/detecting-hafnium-exchange-server-zero-day-activity-in-splunk.html},
language = {English},
urldate = {2021-03-10}
}
Detecting HAFNIUM Exchange Server Zero-Day Activity in Splunk
HAFNIUM |
2021-03-03 ⋅ Huntress Labs ⋅ John Hammond
@online{hammond:20210303:rapid:7c97ee5,
author = {John Hammond},
title = {{Rapid Response: Mass Exploitation of On-Prem Exchange Servers}},
date = {2021-03-03},
organization = {Huntress Labs},
url = {https://www.huntress.com/blog/rapid-response-mass-exploitation-of-on-prem-exchange-servers},
language = {English},
urldate = {2021-03-10}
}
Rapid Response: Mass Exploitation of On-Prem Exchange Servers
CHINACHOPPER HAFNIUM |
2021-03-03 ⋅ CISA ⋅ CISA
@online{cisa:20210303:alert:c05160a,
author = {CISA},
title = {{Alert (AA21-062A): Mitigate Microsoft Exchange Server Vulnerabilities}},
date = {2021-03-03},
organization = {CISA},
url = {https://us-cert.cisa.gov/ncas/alerts/aa21-062a},
language = {English},
urldate = {2021-03-10}
}
Alert (AA21-062A): Mitigate Microsoft Exchange Server Vulnerabilities
HAFNIUM |
2021-03-02 ⋅ Rapid7 Labs ⋅ Andrew Christian
@online{christian:20210302:rapid7s:b676aa4,
author = {Andrew Christian},
title = {{Rapid7’s InsightIDR Enables Detection And Response to Microsoft Exchange Zero-Day}},
date = {2021-03-02},
organization = {Rapid7 Labs},
url = {https://blog.rapid7.com/2021/03/03/rapid7s-insightidr-enables-detection-and-response-to-microsoft-exchange-0-day},
language = {English},
urldate = {2021-03-10}
}
Rapid7’s InsightIDR Enables Detection And Response to Microsoft Exchange Zero-Day
CHINACHOPPER HAFNIUM |
2021-03-02 ⋅ Volexity ⋅ Josh Grunzweig, Matthew Meltzer, Sean Koessel, Steven Adair, Thomas Lancaster
@online{grunzweig:20210302:operation:44c264f,
author = {Josh Grunzweig and Matthew Meltzer and Sean Koessel and Steven Adair and Thomas Lancaster},
title = {{Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities}},
date = {2021-03-02},
organization = {Volexity},
url = {https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/},
language = {English},
urldate = {2021-03-07}
}
Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities
CHINACHOPPER HAFNIUM |
2021-03-02 ⋅ Microsoft ⋅ Microsoft Threat Intelligence Center (MSTIC), Microsoft 365 Defender Threat Intelligence Team, Microsoft 365 Security
@online{mstic:20210302:hafnium:c7d8588,
author = {Microsoft Threat Intelligence Center (MSTIC) and Microsoft 365 Defender Threat Intelligence Team and Microsoft 365 Security},
title = {{HAFNIUM targeting Exchange Servers with 0-day exploits}},
date = {2021-03-02},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers},
language = {English},
urldate = {2021-03-07}
}
HAFNIUM targeting Exchange Servers with 0-day exploits
CHINACHOPPER HAFNIUM |
2021-03-02 ⋅ Microsoft ⋅ MSRC Team
@online{team:20210302:multiple:d62f8de,
author = {MSRC Team},
title = {{Multiple Security Updates Released for Exchange Server – updated March 8, 2021}},
date = {2021-03-02},
organization = {Microsoft},
url = {https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server},
language = {English},
urldate = {2021-03-10}
}
Multiple Security Updates Released for Exchange Server – updated March 8, 2021
HAFNIUM |
2021-03-02 ⋅ Twitter (@ESETresearch) ⋅ ESET Research
@online{research:20210302:exchange:4473faa,
author = {ESET Research},
title = {{Tweet on Exchange RCE}},
date = {2021-03-02},
organization = {Twitter (@ESETresearch)},
url = {https://twitter.com/ESETresearch/status/1366862946488451088},
language = {English},
urldate = {2021-03-10}
}
Tweet on Exchange RCE
CHINACHOPPER HAFNIUM |
2021-01-29 ⋅ Trend Micro ⋅ Trend Micro
@online{micro:20210129:chopper:6dfb7c6,
author = {Trend Micro},
title = {{Chopper ASPX web shell used in targeted attack}},
date = {2021-01-29},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/21/a/targeted-attack-using-chopper-aspx-web-shell-exposed-via-managed.html},
language = {English},
urldate = {2021-02-02}
}
Chopper ASPX web shell used in targeted attack
CHINACHOPPER MimiKatz |
2021 ⋅ DomainTools ⋅ Joe Slowik
@techreport{slowik:2021:conceptualizing:3cdf067,
author = {Joe Slowik},
title = {{Conceptualizing a Continuum of Cyber Threat Attribution}},
date = {2021},
institution = {DomainTools},
url = {https://www.domaintools.com/content/conceptualizing-a-continuum-of-cyber-threat-attribution.pdf},
language = {English},
urldate = {2021-11-02}
}
Conceptualizing a Continuum of Cyber Threat Attribution
CHINACHOPPER SUNBURST |
2020-11-27 ⋅ PTSecurity ⋅ Denis Goydenko, Alexey Vishnyakov
@online{goydenko:20201127:investigation:7d12cee,
author = {Denis Goydenko and Alexey Vishnyakov},
title = {{Investigation with a twist: an accidental APT attack and averted data destruction}},
date = {2020-11-27},
organization = {PTSecurity},
url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/},
language = {English},
urldate = {2020-12-01}
}
Investigation with a twist: an accidental APT attack and averted data destruction
TwoFace CHINACHOPPER HyperBro MegaCortex MimiKatz |
2020-10-01 ⋅ US-CERT ⋅ US-CERT
@online{uscert:20201001:alert:a46c3d4,
author = {US-CERT},
title = {{Alert (AA20-275A): Potential for China Cyber Response to Heightened U.S.-China Tensions}},
date = {2020-10-01},
organization = {US-CERT},
url = {https://us-cert.cisa.gov/ncas/alerts/aa20-275a},
language = {English},
urldate = {2020-10-04}
}
Alert (AA20-275A): Potential for China Cyber Response to Heightened U.S.-China Tensions
CHINACHOPPER Cobalt Strike Empire Downloader MimiKatz Poison Ivy |
2020-09-15 ⋅ US-CERT ⋅ US-CERT
@online{uscert:20200915:alert:13d0ab3,
author = {US-CERT},
title = {{Alert (AA20-259A): Iran-Based Threat Actor Exploits VPN Vulnerabilities}},
date = {2020-09-15},
organization = {US-CERT},
url = {https://us-cert.cisa.gov/ncas/alerts/aa20-259a},
language = {English},
urldate = {2020-09-16}
}
Alert (AA20-259A): Iran-Based Threat Actor Exploits VPN Vulnerabilities
CHINACHOPPER Fox Kitten |
2020-09-15 ⋅ US-CERT ⋅ US-CERT
@online{uscert:20200915:malware:8345418,
author = {US-CERT},
title = {{Malware Analysis Report (AR20-259A): Iranian Web Shells}},
date = {2020-09-15},
organization = {US-CERT},
url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar20-259a},
language = {English},
urldate = {2020-09-16}
}
Malware Analysis Report (AR20-259A): Iranian Web Shells
CHINACHOPPER |
2020-07-21 ⋅ Department of Justice ⋅ Department of Justice
@online{justice:20200721:two:81b000b,
author = {Department of Justice},
title = {{Two Chinese Hackers Working with the Ministry of State Security Charged with Global Computer Intrusion Campaign Targeting Intellectual Property and Confidential Business Information, Including COVID-19 Research}},
date = {2020-07-21},
organization = {Department of Justice},
url = {https://www.justice.gov/opa/pr/two-chinese-hackers-working-ministry-state-security-charged-global-computer-intrusion},
language = {English},
urldate = {2022-07-25}
}
Two Chinese Hackers Working with the Ministry of State Security Charged with Global Computer Intrusion Campaign Targeting Intellectual Property and Confidential Business Information, Including COVID-19 Research
CHINACHOPPER BRONZE SPRING |
2020-02-21 ⋅ ADEO DFIR ⋅ ADEO DFIR
@techreport{dfir:20200221:apt10:e9c3328,
author = {ADEO DFIR},
title = {{APT10 Threat Analysis Report}},
date = {2020-02-21},
institution = {ADEO DFIR},
url = {https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf},
language = {English},
urldate = {2020-03-03}
}
APT10 Threat Analysis Report
CHINACHOPPER HTran MimiKatz PlugX Quasar RAT |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:bronze:4118462,
author = {SecureWorks},
title = {{BRONZE ATLAS}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-atlas},
language = {English},
urldate = {2020-05-23}
}
BRONZE ATLAS
Speculoos Winnti ACEHASH CCleaner Backdoor CHINACHOPPER Empire Downloader HTran MimiKatz PlugX Winnti APT41 |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:bronze:1a5bdbb,
author = {SecureWorks},
title = {{BRONZE PRESIDENT}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-president},
language = {English},
urldate = {2020-05-23}
}
BRONZE PRESIDENT
CHINACHOPPER Cobalt Strike PlugX MUSTANG PANDA |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:bronze:4db27ec,
author = {SecureWorks},
title = {{BRONZE UNION}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-union},
language = {English},
urldate = {2020-05-23}
}
BRONZE UNION
9002 RAT CHINACHOPPER Enfal Ghost RAT HttpBrowser HyperBro owaauth PlugX Poison Ivy ZXShell APT27 |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:bronze:e8ad4fb,
author = {SecureWorks},
title = {{BRONZE MOHAWK}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-mohawk},
language = {English},
urldate = {2020-05-23}
}
BRONZE MOHAWK
AIRBREAK scanbox BLACKCOFFEE CHINACHOPPER Cobalt Strike Derusbi homefry murkytop SeDll APT40 |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:bronze:fcb04ab,
author = {SecureWorks},
title = {{BRONZE EXPRESS}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-express},
language = {English},
urldate = {2020-05-23}
}
BRONZE EXPRESS
9002 RAT CHINACHOPPER IsSpace NewCT PlugX smac APT26 |
2020-01 ⋅ FireEye ⋅ Tom Hall, Mitchell Clarke, Mandiant
@techreport{hall:202001:mandiant:25e38ef,
author = {Tom Hall and Mitchell Clarke and Mandiant},
title = {{Mandiant IR Grab Bag of Attacker Activity}},
date = {2020-01},
institution = {FireEye},
url = {https://web.archive.org/web/20200307113010/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1574947864.pdf},
language = {English},
urldate = {2021-04-16}
}
Mandiant IR Grab Bag of Attacker Activity
TwoFace CHINACHOPPER HyperBro HyperSSL |
2019-12-12 ⋅ Microsoft ⋅ Microsoft Threat Intelligence Center
@online{center:20191212:gallium:79f6460,
author = {Microsoft Threat Intelligence Center},
title = {{GALLIUM: Targeting global telecom}},
date = {2019-12-12},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/},
language = {English},
urldate = {2022-06-15}
}
GALLIUM: Targeting global telecom
CHINACHOPPER Ghost RAT HTran MimiKatz Poison Ivy GALLIUM |
2019-11-19 ⋅ FireEye ⋅ Kelli Vanderlee, Nalani Fraser
@techreport{vanderlee:20191119:achievement:6be19eb,
author = {Kelli Vanderlee and Nalani Fraser},
title = {{Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions}},
date = {2019-11-19},
institution = {FireEye},
url = {https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf},
language = {English},
urldate = {2021-03-02}
}
Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions
MESSAGETAP TSCookie ACEHASH CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT HIGHNOON HTran MimiKatz NetWire RC poisonplug Poison Ivy pupy Quasar RAT ZXShell |
2019-09-23 ⋅ MITRE ⋅ MITRE ATT&CK
@online{attck:20190923:apt41:63b9ff7,
author = {MITRE ATT&CK},
title = {{APT41}},
date = {2019-09-23},
organization = {MITRE},
url = {https://attack.mitre.org/groups/G0096},
language = {English},
urldate = {2022-08-30}
}
APT41
Derusbi MESSAGETAP Winnti ASPXSpy BLACKCOFFEE CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT MimiKatz NjRAT PlugX ShadowPad Winnti ZXShell APT41 |
2019-08-27 ⋅ Cisco Talos ⋅ Paul Rascagnères, Vanja Svajcer
@online{rascagnres:20190827:china:2d2bbb8,
author = {Paul Rascagnères and Vanja Svajcer},
title = {{China Chopper still active 9 years later}},
date = {2019-08-27},
organization = {Cisco Talos},
url = {https://blog.talosintelligence.com/2019/08/china-chopper-still-active-9-years-later.html},
language = {English},
urldate = {2019-10-14}
}
China Chopper still active 9 years later
CHINACHOPPER |
2019-08-19 ⋅ FireEye ⋅ Alex Pennino, Matt Bromiley
@online{pennino:20190819:game:b6ef5a0,
author = {Alex Pennino and Matt Bromiley},
title = {{GAME OVER: Detecting and Stopping an APT41 Operation}},
date = {2019-08-19},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2019/08/game-over-detecting-and-stopping-an-apt41-operation.html},
language = {English},
urldate = {2020-01-06}
}
GAME OVER: Detecting and Stopping an APT41 Operation
ACEHASH CHINACHOPPER HIGHNOON |
2019-06-25 ⋅ Cybereason ⋅ Cybereason Nocturnus
@online{nocturnus:20190625:operation:21efa8f,
author = {Cybereason Nocturnus},
title = {{OPERATION SOFT CELL: A WORLDWIDE CAMPAIGN AGAINST TELECOMMUNICATIONS PROVIDERS}},
date = {2019-06-25},
organization = {Cybereason},
url = {https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers},
language = {English},
urldate = {2022-07-01}
}
OPERATION SOFT CELL: A WORLDWIDE CAMPAIGN AGAINST TELECOMMUNICATIONS PROVIDERS
CHINACHOPPER HTran MimiKatz Poison Ivy Operation Soft Cell |
2019-05-28 ⋅ Palo Alto Networks Unit 42 ⋅ Robert Falcone, Tom Lancaster
@online{falcone:20190528:emissary:dc0f942,
author = {Robert Falcone and Tom Lancaster},
title = {{Emissary Panda Attacks Middle East Government Sharepoint Servers}},
date = {2019-05-28},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/},
language = {English},
urldate = {2021-04-16}
}
Emissary Panda Attacks Middle East Government Sharepoint Servers
CHINACHOPPER HyperSSL |
2019 ⋅ MITRE ⋅ MITRE ATT&CK
@online{attck:2019:tool:fd89dda,
author = {MITRE ATT&CK},
title = {{Tool description: China Chopper}},
date = {2019},
organization = {MITRE},
url = {https://attack.mitre.org/software/S0020/},
language = {English},
urldate = {2019-12-20}
}
Tool description: China Chopper
CHINACHOPPER |
2018-03-16 ⋅ FireEye ⋅ FireEye
@online{fireeye:20180316:suspected:2a77316,
author = {FireEye},
title = {{Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries}},
date = {2018-03-16},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html},
language = {English},
urldate = {2019-12-20}
}
Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries
badflick BLACKCOFFEE CHINACHOPPER homefry murkytop SeDll APT40 |
2017-12-20 ⋅ CrowdStrike ⋅ Adam Kozy
@online{kozy:20171220:end:218a388,
author = {Adam Kozy},
title = {{An End to “Smash-and-Grab” and a Move to More Targeted Approaches}},
date = {2017-12-20},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/an-end-to-smash-and-grab-more-targeted-approaches/},
language = {English},
urldate = {2020-05-11}
}
An End to “Smash-and-Grab” and a Move to More Targeted Approaches
CHINACHOPPER |
2013-08-07 ⋅ FireEye ⋅ Ian Ahl, Tony Lee, Dennis Hanzlik
@online{ahl:20130807:breaking:aff06e9,
author = {Ian Ahl and Tony Lee and Dennis Hanzlik},
title = {{Breaking Down the China Chopper Web Shell - Part I}},
date = {2013-08-07},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html},
language = {English},
urldate = {2019-12-20}
}
Breaking Down the China Chopper Web Shell - Part I
CHINACHOPPER |