All news with #china nexus tag

🔒 CISA, the NSA, the FBI, and international partners issued a joint advisory describing People’s Republic of China state-sponsored APT actors compromising networks worldwide to support long-term espionage. Investigations through July 2025 reveal these actors exploit vulnerabilities in large backbone provider edge and customer edge routers—often modifying firmware and configurations to evade detection and maintain persistent access. Affected sectors include telecommunications, government, transportation, lodging, and defense. The advisory urges network defenders, especially in high-risk sectors, to actively hunt for intrusions and apply the recommended mitigations.

🛡️ U.S. and international agencies warn that People's Republic of China (PRC) state-sponsored actors have been compromising global networks since at least 2021 to collect communications and other intelligence. Actors targeted telecommunications backbone routers, provider- and customer-edge devices, and infrastructure across government, transportation, lodging, and military sectors. They exploited known CVEs (for example CVE-2024-21887, CVE-2024-3400, Cisco CVEs), modified devices to maintain persistence using on-box PCAP/containers and tunnels, and exfiltrated data via peering and covert channels. The advisory includes IP indicators, binary hashes, Yara/Snort rules, hunting guidance, and prioritized mitigations to patch, isolate management planes, harden credentials, and detect PCAP creation.

🛡️ In March 2025, Google Threat Intelligence Group identified a complex espionage campaign attributed to the PRC‑nexus actor UNC6384 that targeted diplomats in Southeast Asia and other global entities. The attackers hijacked web traffic via a captive‑portal and AitM redirect to deliver a digitally signed downloader tracked as STATICPLUGIN, which retrieved a disguised MSI and staged an in‑memory deployment of the SOGU.SEC backdoor (PlugX). The operation abused valid code‑signing certificates, DLL side‑loading via a novel launcher CANONSTAGER, and indirect execution techniques to evade detection. Google issued alerts, added IOCs to Safe Browsing, and recommends enabling Enhanced Safe Browsing, applying updates, and enforcing 2‑Step Verification.

🛡️ CrowdStrike warns that China-linked groups Murky Panda, Genesis Panda, and Glacial Panda have intensified cloud and telecommunications espionage, abusing trusted cloud relationships and internet-facing appliances to gain access. The actors exploit N-day and zero-day flaws, deploy web shells, and steal cloud credentials to establish persistence with tools such as CloudedHope. Targets include government, technology, financial, and telecom sectors, with operations tailored to covert intelligence collection and long-term access.

🔒 Since late 2024 CrowdStrike's Counter Adversary Operations has tracked MURKY PANDA, a China‑nexus actor targeting government, technology, academic, legal and professional services in North America. The group exploits internet‑facing appliances, rapidly weaponizes n‑day and zero‑day flaws, and deploys web shells (including Neo‑reGeorg) and the Golang RAT CloudedHope. CrowdStrike recommends auditing Entra ID service principals and activity, enabling Microsoft Graph logging, hunting for anomalous service principal sign‑ins, prioritizing patching of cloud and edge devices, and leveraging Falcon detection and SIEM capabilities.

🔒 Microsoft has restricted distribution of proof-of-concept exploit code to MAPP participants in countries where firms must report vulnerabilities to their governments, including China. Affected companies will receive a more general written description issued at the same time as patches rather than PoC code, Microsoft said. The change follows the late-July SharePoint zero-day attacks and concerns about a possible leak from the early-bug-notification program.

🔍 Cisco Talos describes UAT-7237, a Chinese‑speaking APT active since 2022 that compromised a Taiwanese web hosting provider to establish long‑term persistence. The actor relies largely on open‑source tooling, customized utilities and a tailored shellcode loader tracked as SoundBill, which can decode and execute Cobalt Strike beacons. UAT-7237 favors SoftEther VPN and RDP for access rather than mass web‑shell deployment. Talos provides IOCs and mitigation guidance for detection and blocking.