Chinese threat actors deployed a custom Linux backdoor on compromised network edge devices to maintain persistent access into the networks of US legal services firms, software-as-a-service (SaaS) providers, business process outsourcers and technology companies.
On average, these backdoors remained undetected for 393 days and were used as a staging point for lateral movement to VMware vCenter and ESXi hosts, Windows workstations and servers and Microsoft 365 mailboxes.
“The value of these targets extends beyond typical espionage missions, potentially providing data to feed development of zero-days and establishing pivot points for broader access to downstream victims,” researchers from Mandiant and Google’s Threat Intelligence Group found during their incident response engagements.
