72-hour vulnerability exploitation window: RedNovember demonstrated the ability to weaponize newly disclosed vulnerabilities faster than most organizations could deploy patches, researchers found. When researchers published proof-of-concept code for Check Point VPN vulnerability CVE-2024-24919 on May 30, 2024, RedNovember was attacking vulnerable systems by June 3.That campaign hit at least 60 organizations across Brazil, Germany, Japan, Portugal, the UK, and the United States within four days, according to the report.Similar patterns emerged with Palo Alto Networks GlobalProtect devices, with RedNovember consistently exploiting disclosed vulnerabilities within 72 hours of public exploit code availability, the research showed.
Open-source tools masked attribution: Rather than developing custom malware, RedNovember relied heavily on publicly available tools, including the Pantegana backdoor, Cobalt Strike penetration testing framework, and SparkRAT remote access tool, all written in the Go programming language, researchers found.The hackers used variants of the LESLIELOADER tool to deploy SparkRAT on compromised systems, with samples first detected in March 2024, according to the analysis. RedNovember also leveraged legitimate services, including vulnerability scanning tools like PortSwigger’s Burp Suite and VPN services, including ExpressVPN and Cloudflare’s Warp, to manage their infrastructure.”RedNovember’s strategic use of open-source capabilities allows the threat group to lower operational costs and obfuscate attribution,” researchers explained in the report.
Global targeting across multiple sectors: The group heavily targeted organizations in the US, Taiwan, and South Korea, while also conducting surveillance of government agencies across Panama, and targeting entities in Europe, Africa, Central Asia, and Southeast Asia, the report said.The hackers maintained persistent access to compromised networks for months, with some intrusions lasting from July 2024 through March 2025, according to the research. A Taiwanese IT company remained compromised throughout this period, with researchers tracking communications to Pantegana command-and-control servers.The hacker group also targeted organizations handling sensitive business negotiations, successfully compromising an American law firm involved in debt restructuring for a Chinese company and attempting to breach a major US newspaper, the report found.
Coordinated timing with geopolitical events: Several RedNovember campaigns coincided with significant geopolitical developments, researchers observed. The systematic surveillance of more than 30 Panamanian government agencies occurred just weeks after US Defense Secretary Pete Hegseth announced an expanded partnership to counter Chinese influence in the canal zone.The targeting of Taiwan facilities, which house both military installations and semiconductor research operations, coincided with Chinese military exercises involving 90 warships around the island in December 2024, the report noted.”The timing of the observed reconnaissance closely followed geopolitical and military events of key strategic interest to China,” the researchers wrote.The systematic targeting of internet-facing appliances across multiple vendor platforms indicated that organizations need enhanced monitoring and rapid patch deployment capabilities for network infrastructure devices, the report suggested. RedNovember “will almost certainly continue to target edge devices and exploit vulnerabilities soon after their release,” researchers added in the report.
Coordinated timing with geopolitical events: Several RedNovember campaigns coincided with significant geopolitical developments, researchers observed. The systematic surveillance of more than 30 Panamanian government agencies occurred just weeks after US Defense Secretary Pete Hegseth announced an expanded partnership to counter Chinese influence in the canal zone.The targeting of Taiwan facilities, which house both military installations and semiconductor research operations, coincided with Chinese military exercises involving 90 warships around the island in December 2024, the report noted.”The timing of the observed reconnaissance closely followed geopolitical and military events of key strategic interest to China,” the researchers wrote.The systematic targeting of internet-facing appliances across multiple vendor platforms indicated that organizations need enhanced monitoring and rapid patch deployment capabilities for network infrastructure devices, the report suggested. RedNovember “will almost certainly continue to target edge devices and exploit vulnerabilities soon after their release,” researchers added in the report.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4064737/chinese-hackers-breached-critical-infrastructure-globally-using-enterprise-network-gear.html
