Indicateurs de compromission (IOCs) identifiés
Rapports de compromission identifiés (regroupement d’IoCs)
HIGHLIGHT OF THE MONTH
Mustang Panda , also known as “RedDelta” or “Bronze President”, is a group of cybercriminals allegedly linked to the Chinese government. Active since at least 2014, it mainly targets government organisations, NGOs and any other entities considered enemies of the Chinese communist regime.
According to the MITRE ATT&CK’s APT attacker group registry, Mustang Panda, referenced as ID G0019, uses sophisticated phishing campaigns as its initial infection vector. These malicious emails often contain files similar to legitimate documents of national or organisational interest to the targets.
The group is also distinguished by the systematic use of custom RATs (Remote Access Trojans), mainly based on the PlugX family of malware (also known as Korplug). Once the target’s machine is infected, these RATs download a C2 such as Poison Ivy or Cobalt Strike to establish a link with a server controlled by Mustang Panda.
Since January 2023, Mustang Panda has been using a new backdoor in its attacks, called MQsTTang (a play on the words “Mustang” and “MQTT”). This crude backdoor allows the attacker to execute arbitrary commands on the victim’s machine and to use the MQTT protocol for C&C communication.
DEFINITION OF THE MONTH
A Supply Chain Attack consists of targeting the weakest element of a production chain. This technique is identified in the Mitre Att&ck framework as T1195 .
In many cases, it will involve compromising a partner or attacking a third party library rather than the final target. The advantage of this type of attack is that it is not necessary to lure the victim or attack an entity head-on: it is sufficient to use the built confidence between the both entities, be it between a company and a supplier, or between a company and its customers. These attacks can also be used to achieve a higher “return on investment” by affecting a large number of victims and compromising only one target.
Examples of supply chain attacks include Solarwinds, Kaseya, and more recently 3CX, where a single product was compromised to gain access to a large number of companies.
In the case of attacks on the software production chain, the preferred targets are often version managers, continuous integration/deployment chains, or certificates.
However, it is important to remember that these attacks can occur at different levels. It can be a software compromise as in the previous examples, but also a hardware compromise, during the manufacturing of hardware or during delivery or preparation.
ABOUT THE CYBER THREATS BAROMETER
Malware, zero-day vulnerabilities, advanced persistent threats, industries and sectors particularly targeted, weak signals of emerging attacks…It’s no secret that knowledge of one’s adversary is a key factor for the security of an enterprise. The Cyber Threats Barometer gives you a monthly overview of the cyber threats detected in the previous month by Gatewatcher CTI , our Cyber Threat Intelligence platform.
Gatewatcher CTI’s automated collection, analysis and correlation engines are continuously fed by more than three thousand data sources from multiple channels: social networks, specialized sites, dark and deep web. They make threat information available an average of 24 hours in advance of the competition and help operational response teams make better decisions by dramatically reducing their analysis and incident treatment times.