- Silent dust discovered 45 areas used by Chinese Apt groups for long-term cyber-spy
- The domains have been recorded with false identities and linked to low density IPs for C2 Furtive operations
- Organizations are invited to review five years of DNS newspapers for compromise signs
Security researchers have recently found 45 areas, aged a few years, which have been used in the Cyber Typhoon cyber-spy campaigns.
Earlier this week, the Cybersecurity Silent Push hold has published an in -depth report after discovering a few dozen unusual areas that were part of the command and control infrastructure (C2) used by the Chinese Apt groups to maintain long -term stealth access to compromise systems.
In addition to Salt Typhoon, a group followed under the name of UNC4841 also used the same fields, which allowed them to remotely manage malware, exfiltrate data and persist inside the networks without detection.
Verification of DNS newspapers
By analyzing the Whois and Soa recordings, Silent Push found areas dating from May 2020, some of which were recorded using false personalities such as Shawn Francis or Monica Burch. Others were recorded using Protonmail addresses, often with non -existent American postal addresses.
Some areas have usurped legitimate entities, such as Newhkdaily[dot]com, which can have been used for psychological operations, or propaganda, the researchers stressed.
“The domains go back several years, with the oldest registration activity that occurred in May 2020, also confirming that Typhon de Sel 2024 attacks were not the first activity carried out by this group,” they said in the report.
Silent Push also said that the domains shared the ip addresses of low density, which means that they were little populated and probably dedicated to a malicious activity.
The company now urges all organizations to search for their DNS telemetry newspapers and data, going up five years, for any sign of activity involving the 45 newly identified domains or their subdomains.
This includes the search for DNS requests to one of the areas listed, connections to the associated IP addresses (in particular during the time when the fields were active), as well as models that correspond to the low density IP infrastructure described in the report.
Even if the infrastructure is probably no longer active, data from the historic DNS can reveal past compromises or continuous persistence, and organizations that find matches can take measures to investigate, contain and solve persistent threats.
Via The Hacker News
