ReliaQuest's Agentic AI Uncovers New China-Linked Cluster OP-512

Key Points:

• A new China-linked espionage cluster, identified as "OP-512," has been uncovered, targeting legacy Internet Information Services (IIS) servers using a sophisticated custom web shell framework.
• The impact includes potential espionage activities on organizations running outdated .NET frameworks, with the risk of prolonged undetected access and data exfiltration.
• Organizations should prioritize migrating or segmenting end-of-life .NET frameworks and enhance monitoring for unusual DNS queries and web shell activity.

Technical Details: OP-512 employs a unique web shell framework that utilizes cryptographic controls for access and reporting, making traditional signature-based detection ineffective. The attack leverages vulnerabilities in unsupported .NET Framework 4.0 on IIS servers.

MITRE ATT&CK Techniques:

• T1071.001 - Application Layer Protocol: Web Protocols (Command and Control)
• T1203 - Exploit Public-Facing Application (Initial Access)
• T1068 - Exploitation for Privilege Escalation (Privilege Escalation)
• T1027 - Obfuscated Files or Information (Defense Evasion)

IOCs Mentioned:

• ashx.lhlsjcb[.]com
• hcgos[.]com
• 43.160.202[.]246:8053
• 140.206.161[.]227:443
• 124.156.129[.]151

Organizations must remain vigilant against this evolving threat landscape, particularly those utilizing legacy systems susceptible to such targeted attacks.