“Across incidents, the same story repeats. A small web facing issue becomes the first step. A series of quiet pivots leads to domain level control. The environment is then repurposed as part of a larger network that powers operations against additional targets,” said Check Point. As to the traffic itself, the group hides communication inside ordinary mailbox drafts, making it look like everyday communication.
Coincidentally, Check Point found that a second Chinese threat group, RudePanda, was simultaneously exploiting IIS weaknesses to compromise government servers. This meant that RudePanda “ended up operating in the same [compromised] environments at the same time.”
The discoveries underscore the issue of IIS misconfiguration. Beyond listing the group’s indicators of compromise (IoCs), Check Points offers no specific advice on how to counter this. Nevertheless, some actions suggest themselves: audit the modules running on IIS against a known good baseline, enable advanced IIS logging, configure IIS to make common view state vulnerabilities less likely, and consider putting IIS servers behind a web application firewall (WAF).
