Organizations in Australia and offshore energy companies operating in the South China Sea have been targeted by Chinese state-sponsored advanced persistent threat actor TA423, also known as Red Ladon, in cyberespionage campaigns leveraging the ScanBox reconnaissance framework, according to Threatpost.
TA423 commences the attacks with phishing emails claiming to be from an employee of the fictional organization "Australian Morning News" that lures recipients into visiting the company's website, which then redirects to a web page with content from legitimate news sites while delivering the ScanBox malware framework, a report from Proofpoints Threat Research Team and PwCs Threat Intelligence team revealed.
ScanBox then helps facilitate a multi-stage attack, with the primary initial script culling system details from the target computer while tracking browser extensions and plugins. Implementation of WebRTC enables ScanBox to link with pre-configured targets, as well as allows Session Traversal Utilities for NAT technology use for attackers. Such attacks were conducted to support the Chinese government amid tensions in Taiwan, noted Proofpoint Vice President of Threat Research and Detection Sherrod DeGrippo.
New attacks with the updated SysUpdate toolkit have been deployed by Chinese advanced persistent threat operation Budworm, also known as APT27, Emissary Panda, Bronze Union, Lucky Mouse, Iron Tiger, and Red Phoenix, against an Asian government and a Middle East-based telecommunications provider, reports The Hacker News.
Forty-five malicious NPM and PyPI packages have been deployed by threat actors to facilitate extensive data theft operations as part of a campaign that commenced on Sept. 12, according to BleepingComputer.
Sixty thousand emails from U.S. State Department accounts were noted by a staffer working for Sen. Eric Schmitt, R-Mo., to have been exfiltrated by Chinese threat actors during the widespread compromise of Microsoft email accounts that commenced in May, according to Reuters.