Cyber Security Threat Summary:
This advisory highlights the recent state-sponsored cyber activity by the People's Republic of China (PRC) and provides crucial information for network defenders to identify and mitigate this activity. The advisory focuses on network and host artifacts, particularly command lines used by the cyber actor, and includes indicators of compromise (IOCs) for reference. However, defenders should exercise caution and evaluate matches to determine their significance, considering the possibility of false positive indicators resulting from benign activity.

Security Officer Comments:
The PRC state-sponsored cyber actor has employed various techniques to evade detection, and defenders should be aware of their tactics. The actor utilizes compromised SOHO network devices to hide their command and control (C2) traffic, making it appear to originate from local ISPs. Defenders should secure network management interfaces of these devices and monitor for indicators such as specific filenames and hardcoded C2 callbacks. The actor also leverages WMI/WMIC commands to gather information about local drives without administrative credentials, so defenders should watch for the execution of these commands. Additionally, the actor exfiltrates the ntds[.]dit file and the SYSTEM registry hive from Windows domain controllers for password cracking. Defenders should be vigilant for signs of file manipulation and the creation of specific folders. Lastly, the actor uses port forwarding techniques and PowerShell for logon monitoring, so defenders should investigate registry keys, anomalous entries, and unauthorized logon events.

Suggested Correction(s):
The authoring agencies recommend implementing several key mitigations to enhance an organization's cybersecurity posture based on the threat actor's activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and NIST, which provide a minimum set of practices and protections. To start, defenders should harden domain controllers, monitor event logs for specific process creations, and validate the use of administrator privileges. Additionally, they should limit port proxy usage, investigate unusual IP addresses and ports, review firewall configurations, and monitor for abnormal account activity. To ensure log integrity and availability, log files should be forwarded to a hardened centralized logging server, ideally on a segmented network. These measures aim to protect against common threats and tactics, as outlined by the CPGs, and improve the organization's overall cybersecurity posture.

Link(s):
https://www.bleepingcomputer.com/ne..-critical-infrastructure-in-stealthy-attacks/