RedJuliett | |
Location | China |
Date of initial activity | 2023 |
Suspected Attribution | State-Sponsored Threat Group |
Motivation | Cyberwarfare |
Associated Tools | SoftEther VPN Acunetix Web Application Security Scanners Open-Source Web Shells Malicious Traffic Analysis Tools |
Software | Servers |
Overview
RedJuliett, a likely Chinese state-sponsored threat actor, has intensified its cyber espionage operations targeting Taiwan, with a notable surge in activity from November 2023 to April 2024. This group has leveraged advanced technical tactics to exploit vulnerabilities in network perimeter devices, including firewalls, VPNs, and load balancers. This article provides a detailed examination of how RedJuliett operates on a technical level, outlining their methods of exploitation, persistence techniques, and strategic objectives.
Common Targets
- Public Administration
- Educational Services
- Information – Taiwan
- Hong Kong
- Malaysia
- Laos
- South Korea
- The United States
- Djibouti
- Kenya
- Rwanda
Attack vectors
Software Vulnerabilities
How they work
RedJuliett’s primary technique for initial access involves exploiting known vulnerabilities in network edge devices. By targeting firewalls, VPNs, and load balancers, the group gains unauthorized access to victim networks. This tactic aligns with their known preference for compromising public-facing devices. For instance, RedJuliett has been observed using SQL injection and directory traversal exploits against web and SQL applications to further infiltrate networks. These methods allow the group to penetrate deeper into the target systems, bypassing traditional security measures.
Once inside, RedJuliett employs a range of persistence techniques to maintain their foothold. One of their key strategies involves setting up a SoftEther VPN bridge or client within the victim’s network. This VPN infrastructure facilitates stealthy and sustained access to the compromised systems. Additionally, RedJuliett uses open-source web shells to establish a backdoor for ongoing control. The exploitation of an elevation of privilege vulnerability in Linux operating systems further enhances their ability to maintain access and escalate privileges as needed.
The group’s operational infrastructure includes both threat actor-controlled leased servers and compromised infrastructure belonging to Taiwanese universities. By utilizing compromised infrastructure, RedJuliett effectively obfuscates their activities and makes it harder for defenders to identify and block their operations. Their use of SoftEther VPN for managing command and control (C2) communication is a notable aspect of their technical approach, allowing them to securely and reliably manage their attacks.
RedJuliett’s activities are driven by a strategic focus on intelligence-gathering related to Taiwan’s economic policies, diplomatic relations, and critical technology sectors. The group’s efforts to target government, academic, and technology organizations in Taiwan align with Beijing’s broader objectives. Their operations have also expanded to other regions, including Hong Kong, Malaysia, and South Korea, indicating a broad and adaptive approach to cyber espionage.
To counter threats posed by RedJuliett, organizations should implement several defensive measures. Network segmentation is crucial to isolate internet-facing services in a demilitarized zone (DMZ), reducing the risk of lateral movement within internal networks. Enhanced security monitoring should be employed to detect post-exploitation activities such as the use of web shells and backdoors. Regular risk-based patching of high-risk vulnerabilities, especially those exploited in the wild, is essential. Additionally, proactive monitoring of malicious traffic and real-time analysis of supply chains can help detect and mitigate potential intrusions.
MITRE Tactics and Techniques
Resource Development:
Acquire Infrastructure: Virtual Private Server (T1583.003): Utilizes virtual private servers to support their operations, often for command and control (C2) purposes.
Compromise Infrastructure: Server (T1584): Compromises servers within the targeted networks to facilitate further attacks or maintain persistence.
Reconnaissance:
Active Scanning: Vulnerability Scanning (T1595.002): Conducts scanning to identify vulnerabilities in public-facing applications and network devices.
Initial Access:
Exploit Public-Facing Application (T1190): Exploits vulnerabilities in internet-facing applications such as firewalls, VPNs, and load balancers to gain initial access to the victim’s network.
Persistence:
External Remote Services (T1133): Uses external remote services like VPNs to maintain access to the compromised networks.
Server Software Component: Web Shell (T1505.003): Deploys web shells on compromised servers to ensure ongoing access and control.
Privilege Escalation:
Exploitation for Privilege Escalation (T1068): Exploits vulnerabilities to escalate privileges and gain higher levels of access within the compromised systems.