"This prolific, elusive actor has a long history of targeting international governments and global telecommunications organizations across Africa, Asia, and the Americas. UNC2814 is also suspected to be linked to additional infections in more than 20 other nations. The tech giant, which has been tracking the threat actor since 2017, has been observed using API calls to communicate with software-as-a-service (SaaS) apps as command-and-control (C2) infrastructure."
"Central to the hacking group's operations is a novel backdoor dubbed GRIDTIDE that abuses Google Sheets API as a communication channel to disguise C2 traffic and facilitate the transfer of raw data and shell commands. It's a C-based malware that supports file upload/download and the execution of arbitrary shell commands."
"Attacks mounted by the threat actor have leveraged a service account to move laterally within the environment via SSH. Also put to use are living-off-the-land (LotL) binaries to conduct reconnaissance, escalate privileges, and set up persistence for the backdoor. To achieve persistence, the threat actor created a service for the malware at /etc/systemd/system/xapt.service."
Google and industry partners disrupted infrastructure of UNC2814, a sophisticated cyber espionage group with suspected China nexus that targeted at least 53 organizations across 42 countries, with suspected links to infections in over 20 additional nations. The group, tracked since 2017, primarily targets international governments and telecommunications organizations across Africa, Asia, and the Americas. UNC2814 employs a novel C-based backdoor called GRIDTIDE that abuses Google Sheets API to disguise malicious command-and-control traffic as benign activity. The group gains initial access through web server and edge system exploitation, then uses service accounts for lateral movement via SSH, living-off-the-land binaries for reconnaissance and privilege escalation, and deploys SoftEther VPN Bridge for encrypted outbound connections.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]