RedNovember Targets Perimeter Devices Across Global Critical Sectors

RedNovember is a highly sophisticated Chinese state-sponsored threat actor (tracked previously as TAG-100 and overlapping with Storm-2077) engaged in cyber-espionage operations. Active from at least mid-2024 to mid-2025, RedNovember has demonstrated advanced capabilities in exploiting edge infrastructure, leveraging open-source tools, and aligning its operations with Chinese geopolitical interests. This threat group poses a significant risk to government, defense, aerospace, and high-technology manufacturing sectors globally.

Severity: High

Threat Details

1. Reconnaissance

• RedNovember scans internet-facing systems like VPNs, firewalls, and OWA portals.
• Tools like Acunetix, Burp Suite, and crt.sh are used to gather infrastructure intelligence.

2. Infrastructure Setup

• The group registers deceptive domains (e.g., offiec[.]us[.]kg) and configures VPS-based C2 servers.
• These are used to deliver payloads and facilitate communication with infected hosts.

3. Initial Access

• Access is gained through exploiting edge vulnerabilities or delivering spearphishing lures.

4. Exploited Vulnerabilities

• CVE-2024-3400 (Palo Alto GlobalProtect RCE), CVE-2024-24919 (Check Point VPN Arbitrary File Read), and CVE-2022-30190 (Microsoft Follina Exploit in Word Documents).

5. Execution

• LESLIELOADER is used to load SparkRAT or Cobalt Strike in memory for stealthy execution.
• Payloads often masquerade as software updates or internal IT communications.

6. Command and Control

• C2 traffic flows over HTTPS or non-standard ports to evade detection.
• Infrastructure is obfuscated and sometimes hosted on Chinese ASNs or public services.

7. Post-Exploitation

• Once inside, RedNovember performs lateral movement, internal recon, and data theft.
• Operations align with China’s strategic interests, targeting sensitive government and defense assets.

Toolset

• Backdoors: Pantegana (Go-based), SparkRAT
• Loaders: LESLIELOADER
• Post-exploitation: Cobalt Strike
• File delivery: PDF/Word lure documents, staging via offiec[.]us[.]kg
• Infra tools: VPN tunneling (ExpressVPN, Warp VPN), vulnerability scanners, file sharing platforms (Gofile, pan[.]xj[.]hk)

Victimology

RedNovember’s targeting spans across multiple continents and industry verticals, with key geographies including:

• North America: U.S. defense contractors, oil & gas companies, legal firms, news outlets.
• Asia-Pacific: Taiwan (military and semiconductor R&D), South Korea (nuclear, telecom), Fiji (BRI-aligned sectors).
• Europe: Aerospace & engine manufacturers, space research, law firms.
• South America: Over 30 Panamanian government entities post-geopolitical events.
• Africa: State security and government infrastructure.

Recommendations

1. Prioritize patching CVEs exploited by RedNovember (i.e., CVE-2024-3400, CVE-2024-24919, CVE-2022-30190).
2. Minimize exposure of VPNs, firewalls, and OWA portals; disable unused interfaces immediately.
3. Enforce MFA, especially on externally exposed devices and services.
4. Ensure security monitoring and detection capabilities are in place for all external-facing services and devices. Monitor for follow-on activity likely to occur following exploitation of these external-facing services, such as the deployment of web shells, backdoors, or reverse shells, as well as subsequent lateral movement to internal networks.
5. Block macro-enabled Office documents and disable embedded scripts.
6. Conduct user awareness training on spearphishing techniques. Alert staff about suspicious file attachments or IT department impersonations.
7. Block the IOCs at their respective controls
   https://www.virustotal.com/gui/collection/94c64dbc5b3219c8fc9d02ed37f3a8a63e0069e7fc4f5657389d2e12947c6fec/iocs.

Source:

• https://www.recordedfuture.com/research/rednovember-targets-government-defense-and-technology-organizations

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.