"Salt Typhoon is the People's Republic of China spying gang that hacked America's major telecommunications firms and stole metadata and other information belonging to " nearly every American," according to a top FBI cyber official who spoke with The Register about the intrusions. UNC4841 is best known for a series of 2023 attacks that targeted CVE-2023-2868, a critical bug in some Barracuda Email Security Gateways, to deploy custom malware and maintain access to high-value networks, about a third of which belonged to government organizations."
"The threat researchers note that key domain registration patterns in Salt Typhoon's previously-reported command and control (C2) infrastructure helped them uncover the new domain names, several of which shared the same registrant - "almost certainly fake" personas including "Shawn Francis," "Monica Burch," and "Tommie Arnold," most using ProtonMail email addresses, and all of whom purportedly live in the US and have physical addresses that don't exist."
Forty-five domains were identified and linked to Salt Typhoon or UNC4841, most previously unreported, indicating stealthy long-term access since 2020. Salt Typhoon compromised major U.S. telecommunications firms and exfiltrated metadata and other information belonging to nearly every American. UNC4841 exploited CVE-2023-2868 in Barracuda Email Security Gateways in 2023 to deploy custom malware and maintain access to high-value networks, including many government organizations. Key domain registration patterns matched previously reported C2 infrastructure; many domains shared fake registrant personas using ProtonMail and nonexistent US addresses. One domain impersonates a Hong Kong newspaper (newhkdaily[.]com) with unclear intent. Defenders should check telemetry and historic logs against these domains.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]