TeamT5: Taiwan Security Firm Confirms Flaw Flagged by CISA Likely Exploited by Chinese APTs

Chinese APTs Exploited Zero-Day in TeamT5’s ThreatSonar Product in Targeted Supply Chain Attack

Cybersecurity firm TeamT5 has confirmed that CVE-2024-7694, a recently added vulnerability in its ThreatSonar product, was exploited by Chinese advanced persistent threat (APT) groups. The flaw, patched in August 2024, allows attackers with admin privileges to upload malicious files and execute arbitrary commands on vulnerable servers.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) included the vulnerability in its Known Exploited Vulnerabilities (KEV) catalog last week, requiring federal agencies to remediate it by March 10. TeamT5, which serves government and enterprise clients in the U.S., Japan, and Taiwan, reported that the attacks occurred earlier in 2024 and were highly targeted, focusing on a small number of high-profile customers. All affected organizations were notified and assisted with patching.

TeamT5’s investigation linked the campaign to Chinese APT groups Slime57 and Slime62, which conducted a supply chain attack by exploiting the zero-day. The threat actors used hundreds of compromised Taiwanese IP addresses to obscure their origins, demonstrating significant resources and coordination.

While the company confirmed that all customers have since updated their software, the incident underscores the growing threat of state-backed cyberespionage targeting cybersecurity vendors to gain access to sensitive networks. Previous reports have noted similar Chinese APT activity, including attacks on Taiwanese web hosting firms and the revival of the Tianfu Cup hacking contest under heightened secrecy.

Source: https://www.securityweek.com/taiwan-security-firm-confirms-flaw-flagged-by-cisa-likely-exploited-by-chinese-apt/

TeamT5 TPRM report: https://www.rankiteo.com/company/teamt5

"id": "tea1771973306",
"linkid": "teamt5",
"type": "Vulnerability",
"date": "1/2024",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"

{'affected_entities': [{'customers_affected': 'High-profile government and '
                                              'enterprise clients in the U.S., '
                                              'Japan, and Taiwan',
                        'industry': 'Cybersecurity',
                        'location': 'Taiwan',
                        'name': 'TeamT5',
                        'type': 'Cybersecurity Firm'}],
 'attack_vector': 'Exploitation of Zero-Day Vulnerability (CVE-2024-7694)',
 'customer_advisories': 'Affected organizations were notified and assisted '
                        'with patching.',
 'date_detected': '2024',
 'date_publicly_disclosed': '2024-08',
 'date_resolved': '2024-08',
 'description': 'Cybersecurity firm TeamT5 confirmed that CVE-2024-7694, a '
                'vulnerability in its ThreatSonar product, was exploited by '
                'Chinese APT groups. The flaw allows attackers with admin '
                'privileges to upload malicious files and execute arbitrary '
                'commands on vulnerable servers. The attacks were highly '
                'targeted, focusing on high-profile customers in the U.S., '
                'Japan, and Taiwan. The campaign was linked to Chinese APT '
                'groups Slime57 and Slime62, which used compromised Taiwanese '
                'IP addresses to obscure their origins.',
 'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
                                       'supply chain compromise',
            'systems_affected': 'ThreatSonar servers'},
 'initial_access_broker': {'entry_point': 'Exploitation of CVE-2024-7694 in '
                                          'ThreatSonar',
                           'high_value_targets': 'Government and enterprise '
                                                 'clients in the U.S., Japan, '
                                                 'and Taiwan'},
 'investigation_status': 'Completed',
 'lessons_learned': 'The incident highlights the growing threat of '
                    'state-backed cyberespionage targeting cybersecurity '
                    'vendors to gain access to sensitive networks.',
 'motivation': 'Cyberespionage',
 'post_incident_analysis': {'corrective_actions': 'Patching the vulnerability '
                                                  'and notifying affected '
                                                  'customers',
                            'root_causes': 'Exploitation of zero-day '
                                           'vulnerability (CVE-2024-7694) by '
                                           'Chinese APT groups'},
 'references': [{'source': 'CISA Known Exploited Vulnerabilities Catalog'}],
 'regulatory_compliance': {'regulatory_notifications': 'CISA KEV catalog '
                                                       'inclusion (remediation '
                                                       'required by March 10, '
                                                       '2025)'},
 'response': {'communication_strategy': 'Notified affected organizations and '
                                        'publicly disclosed the incident',
              'containment_measures': 'Patching the vulnerability '
                                      '(CVE-2024-7694)',
              'remediation_measures': 'Assisted affected customers with '
                                      'patching'},
 'threat_actor': ['Slime57', 'Slime62'],
 'title': 'Chinese APTs Exploited Zero-Day in TeamT5’s ThreatSonar Product in '
          'Targeted Supply Chain Attack',
 'type': 'Supply Chain Attack',
 'vulnerability_exploited': 'CVE-2024-7694'}