China-Based RedJuliett Targets Taiwan in Cyber Espionage Campaign

Summary:
RedJuliett, a likely Chinese state-sponsored hacking group, conducted a cyber espionage campaign targeting Taiwan and other countries from November 2023 to April 2024, according to Recorded Future's Insikt Group. The group compromised 24 organizations, including government agencies in Taiwan, Laos, Kenya, and Rwanda. They also performed network reconnaissance and attempted exploitation against over 70 academic, government, think tank, and technology organizations in Taiwan, as well as multiple de facto embassies on the island. Approximately 60% of the identified victim organizations were in Taiwan, with others located in Hong Kong, South Korea, Laos, the United States, Rwanda, Kenya, and Djibouti.

RedJuliett exploited known vulnerabilities in internet-facing appliances such as firewalls, VPNs, and load balancers for initial access. They also attempted SQL injection and directory traversal exploits against web and SQL applications. Post-exploitation activities included using open-source webshells and exploiting privilege elevation vulnerabilities in the Linux OS. The group used the open-source VPN software SoftEther to administer their operational infrastructure, which included both threat actor-controlled servers leased from VPS providers and compromised infrastructure belonging to three Taiwanese universities.


Security Officer Comments:
RedJuliett is a new cyber espionage group operating from Fuzhou, the capital of China's Fujian province. Their malicious activities were first detected by Microsoft in August 2023, which tracked them under the name Flax Typhoon. CrowdStrike identified a similar group, Ethereal Panda, with overlapping tactics, techniques, and procedures. The Insikt Group report noted the significant overlap between RedJuliett and these aliases. Suspected administration activities from Chinanet IP addresses in Fuzhou to RedJuliett's SoftEther servers were consistent with established SoftEther VPN connections. While the group's affiliation with China's Ministry of State Security or People's Liberation Army (PLA) is unknown, their location in Fuzhou aligns with the PLA Eastern Theater Command's focus on Taiwan.

Based on their location and activities, Insikt Group assessed that RedJuliett is likely sponsored by the Chinese government. Their activities align with Beijing's objectives to gather intelligence on Taiwan’s economic policy, trade, and diplomatic relations, and to target critical technology companies. The Insikt Group anticipates RedJuliett will continue exploiting vulnerable public-facing devices due to their past success with such tactics.

Suggested Corrections:
Organizations likely to be targeted by RedJuliett should adopt the following measures:

  1. Network Segmentation: Practice network segmentation by isolating internet-facing services in a demilitarized zone (DMZ).
  2. Security Monitoring: Ensure security monitoring and detection capabilities for all external-facing services and devices. Monitor for follow-on activities such as the use of web shells, backdoors, or reverse shells and lateral movement within internal networks.
  3. Review Public Guidance: Review public guidance on mitigating common TTPs used by Chinese state-sponsored groups and Insikt Group’s report on trends and recommendations for mitigating Chinese APT activity more broadly.
  4. Risk-Based Patching: Ensure a risk-based approach for patching vulnerabilities, prioritizing high-risk vulnerabilities and those being exploited in the wild, as identified by Recorded Future Vulnerability Intelligence.
  5. Prioritize RCE Vulnerabilities: Focus on addressing remote code execution (RCE) vulnerabilities in popular VPN, mail server, firewall, and load-balancing appliances, particularly F5 BIG-IP, Fortinet FortiGate, and ZyXEL ZyWALL devices.
  6. Malicious Traffic Analysis: Monitor Malicious Traffic Analysis (MTA) to proactively detect and alert on infrastructure communicating with known RedJuliett command-and-control (C2) IP addresses.
  7. Monitor Supply Chains: Monitor real-time output and identify suspected intrusion activities involving key vendors and partners.

Link(s):
https://www.infosecurity-magazine.com/news/china-redjuliett-targets-taiwan/