ShadowSilk targets government entities in Central Asia and APAC using Telegram bots

Chinese state-sponsored Advanced Persistent Threat (APT) actors, specifically the Salt Typhoon group, are conducting a sustained campaign to gain long-term access to critical infrastructure networks worldwide. These actors exploit vulnerabilities in routers and other edge network devices used by telecommunications providers, ISPs, and other infrastructure operators. The campaign targets telecommunications, transportation, lodging, government, and military networks. The actors employ tactics to evade detection and maintain persistent access, posing a significant threat to national and economic security. The advisory provides actionable guidance to help organizations strengthen their defenses and protect critical systems. The campaign has targeted at least 600 organizations across 80 countries, including 200 in the U.S. The advisory details how state-backed threat actors, including Salt Typhoon, penetrate networks around the world and how defenders can protect their own environments. The advisory tracks this cluster of activity to multiple advanced persistent threats (APTs), though it partially overlaps with Salt Typhoon. The advisory notes that the actors have had considerable success exploiting publicly known vulnerabilities, including Ivanti Connect Secure, Ivanti Policy Secure, Palo Alto Networks PAN-OS, and Cisco IOS XE vulnerabilities. The advisory suspects that the APT actors may target other devices, including Fortinet firewalls, Juniper firewalls, Microsoft Exchange, Nokia routers and switches, Sierra Wireless devices, and Sonicwall firewalls. The actors use multiple tactics to maintain persistence, including modifying Access Control Lists (ACLs), opening standard and non-standard ports, enabling SSH servers, and creating tunnels over protocols. The actors target protocols and infrastructure involved in authentication, such as Terminal Access Controller Access Control System Plus (TACACS+), to facilitate lateral movement across network devices. The advisory provides extensive recommendations for mitigating these threats, including monitoring network device configuration changes, auditing network services and tunnels, and checking logs for integrity. The advisory highlights a critical shift from Chinese state-sponsored activity from being purely espionage to gaining long-term access for potential disruption. 45 previously unreported domains associated with Salt Typhoon and UNC4841 have been discovered, dating back to May 2020. The oldest domain identified is onlineeylity[.]com, registered on May 19, 2020. The domains were registered using Proton Mail email addresses and fake personas. The domains point to high-density and low-density IP addresses, with the earliest activity traced back to October 2021. The domains are linked to Chinese cyber espionage campaigns, with potential overlaps between Salt Typhoon and UNC4841.

AI-generated fake employees are increasingly infiltrating corporate networks, exploiting remote work and gig economy trends. These fake employees, often backed by state-sponsored actors, gain privileged access to steal intellectual property and virtual currency. The issue is exacerbated by the ease of falsifying documents and conducting virtual interviews using AI. North Korean actors have been particularly active, using fake identities to secure jobs in various sectors, including blockchain research and development. The Justice Department has shut down several laptop farms facilitating these activities, but the problem persists. The U.S. Treasury Department has also sanctioned individuals and entities involved in these schemes, revealing significant financial transfers and profits. Organizations need to implement multi-layered security measures, including access governance, behavioral analytics, and AI-driven monitoring, to mitigate this risk. The scheme has expanded to Europe and deepened its networks in the Asia Pacific, with operatives claiming residency in Japan, Malaysia, Singapore, and Vietnam. The Japanese government has warned companies to verify identities and requested freelance-platform providers to reinforce anti-fraud efforts. The U.S. Treasury Department has sanctioned additional entities for their roles in the IT worker scheme, accusing them of generating revenue for the Democratic People's Republic of Korea (DPRK). The threat of remote hiring fraud is escalating rapidly, with a 220% increase in cases year-over-year. North Korean operatives have used AI-generated profiles, deepfakes, and real-time AI manipulation to pass interviews and vetting protocols. American accomplices have operated laptop farms to provide physical US setups, company-issued machines, and domestic addresses and identities. The scheme targets Fortune 500 companies, indicating a systematic and organized campaign. To mitigate this risk, organizations should consider implementing zero standing privileges (ZSP) to ensure minimum access required to function and revoke access when the task is complete.

Iranian state-sponsored or affiliated cyber threat actors, specifically the group tracked as Storm-2460 and Homeland Justice, are actively targeting U.S. critical infrastructure and diplomatic entities globally. These actors exploit known vulnerabilities in unpatched software, compromise accounts with weak passwords, and collaborate with ransomware affiliates to encrypt, steal, and leak sensitive information. The PipeMagic malware, used to deploy RansomExx ransomware, has been observed targeting various sectors, including IT, financial, and real estate in multiple regions. The PipeMagic malware is now part of the Play ransomware attack chain and mimics ChatGPT Desktop to disguise itself. While no coordinated campaign has been detected, vigilance is urged. The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Department of Defense Cyber Crime Center (DC3), and National Security Agency (NSA) are actively monitoring and coordinating with partners to share intelligence and provide resources. Organizations are advised to report any suspicious activity.