-
Notifications
You must be signed in to change notification settings - Fork 388
/
Copy pathchina_nexus_threat_activity.yml
22 lines (22 loc) · 2.27 KB
/
china_nexus_threat_activity.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
name: China-Nexus Threat Activity
id: ac8b8e7c-ed27-428b-871f-ceb9400c733a
version: 2
date: '2025-02-24'
author: Teoderick Contreras, Splunk
status: production
description: Leverage searches that allow you to detect and investigate unusual activities that might relate to Nexus, Chinese state-nexus adversaries known for its stealth and strategic targeting of high-value sectors. Monitor for indicators such as spear-phishing campaigns, exploitation of zero-day vulnerabilities, and unauthorized lateral movement within your network. Investigate anomalous data exfiltration, encrypted communications, and behaviors aligning with their known tactics, techniques, and procedures (TTPs). Combining threat intelligence with real-time monitoring helps identify and respond to Nexus APT activity, minimizing potential damage and data loss.
narrative: As described by Crowdstrike, Chinese state-nexus threat group or adversary are known to target the telecommunications and technology sectors in multiple countries, including the US, to maintain sustained access as well as conduct espionage. Compromised entities in either sector represent potential supply chain vectors of concern to Splunk, although telecommunications entities are a more pervasive and acute concern in this regard. These actors are also known to broadly target unpatched routers, switches and other edge devices across various sectors. Given these threats, Splunk Threat Intelligence (TI) undertook a detailed investigation into China-nexus tactics and techniques that could be used in attempts to compromise Splunk. This report is the result of that investigation, detailing noteworthy behaviors and tools employed by China-nexus targeted intrusion actors.
references:
- https://news.sophos.com/en-us/2024/10/31/pacific-rim-neutralizing-china-based-threat/
- https://www.wsj.com/tech/cybersecurity/typhoon-china-hackers-military-weapons-97d4ef95?st=oe1KKi&reflink=desktopwebshare _permalink
- https://www.judiciary.senate.gov/imo/media/doc/2024-11-19_pm_-_testimony_-_meyers.pdf
- https://go.crowdstrike.com/rs/281-OBQ-266/images/GlobalThreatReport2024.pdf
- https://www.crowdstrike.com/adversaries/envoy-panda/
tags:
category:
- Malware
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
usecase: Advanced Threat Detection