China-Linked Cyber Espionage Group Targets Over 70 Organizations Across Diverse Sectors

June 9, 2025
Government Security / Cyber Espionage

Recent reconnaissance efforts against American cybersecurity firm SentinelOne are part of a larger wave of intrusions affecting various targets between July 2024 and March 2025. “The victims include a South Asian government agency, a European media outlet, and over 70 organizations spanning numerous sectors,” noted SentinelOne security researchers Aleksandar Milenkoski and Tom Hegel in a recent report. Affected sectors include manufacturing, government, finance, telecommunications, and research. Notably, an IT services and logistics firm was compromised while managing equipment logistics for SentinelOne staff during the breach in early 2025. This malicious activity has been confidently linked to threat actors associated with China, with some attacks attributed to a cluster known as PurpleHaze, which overlaps with recognized Chinese cyber espionage groups labeled APT15.

Over 70 Organizations Affected by Cyber Espionage Linked to China

June 9, 2025
Government Security / Cyber Espionage

A recent report has unveiled significant cyber espionage activities against a diverse range of organizations, orchestrated by a group with ties to China. This campaign, which targeted over 70 entities across various sectors, has raised alarms about the evolving landscape of cybersecurity threats.

The reconnaissance phase of this operation specifically involved the American cybersecurity firm SentinelOne. The attacks, unfolding between July 2024 and March 2025, encompassed an array of victims, including a South Asian government agency, a major European media outlet, and organizations spanning manufacturing, government, finance, telecommunications, and research. Particularly notable among the compromised was an IT services and logistics firm responsible for managing hardware logistics for SentinelOne employees during the time of the breach.

Researchers from SentinelOne, Aleksandar Milenkoski and Tom Hegel, have attributed these malicious actions with a high degree of confidence to threat actors associated with China. They highlighted a connection to a threat cluster identified as PurpleHaze, which appears to overlap with previously reported Chinese cyber espionage groups, such as APT15. This connection underscores the sophistication and coordination of these cyber threats.

The scale and range of these intrusions illustrate a concerning trend in targeted attacks that prioritize strategic assets across critical sectors. The activities suggest the use of various tactics, techniques, and procedures (TTPs) consistent with the MITRE ATT&CK framework. Potential methodologies employed in these attacks may include initial access techniques, such as exploiting misconfigured services and implementing spear-phishing attacks. Additionally, adversaries likely established persistent access through mechanisms designed to maintain their foothold within the compromised networks.

Privilege escalation tactics could also have been employed, enabling threat actors to gain elevated permissions, thereby widening their access to sensitive information and systems. Such strategies highlight the need for robust security protocols and vigilance in monitoring unusual network activity, given the sophisticated nature of these operations.

The incident serves as a stark reminder of the cybersecurity landscape’s evolving challenges, particularly for organizations across sectors that may be deemed attractive targets for espionage. As businesses increasingly rely on digital infrastructure, understanding and mitigating these risks becomes paramount. Cybersecurity measures should be continuously updated and tested, ensuring organizations are equipped to respond proactively to these persistent threats.

Industry stakeholders are urged to remain vigilant and informed, continuously reassessing their security posture in light of these developments. With the growing prevalence of cyber espionage linked to state actors, it is imperative that organizations adopt a multi-layered approach to security, leveraging insights from the MITRE ATT&CK framework to identify potential vulnerabilities and fortify defenses accordingly.

Source link

Related Posts

Two Separate Botnets Target Wazuh Server Vulnerability for Mirai-Based Attacks

June 09, 2025
Wazuh Server Vulnerability

A critical security flaw in the Wazuh Server, now patched, has been exploited by threat actors to deploy two distinct variants of the Mirai botnet for executing distributed denial-of-service (DDoS) attacks. Akamai, which identified these exploitation efforts in late March 2025, reports that the campaign is targeting CVE-2025-24016 (CVSS score: 9.9), a dangerous deserialization vulnerability enabling remote code execution on affected Wazuh servers. This vulnerability impacts all server software versions from 4.4.0 onward and was addressed in February 2025 with the release of version 4.9.1. A proof-of-concept (PoC) exploit became publicly available around the same time. The issue stems from the Wazuh API, where parameters in the DistributedAPI are serialized as JSON and then deserialized using “as_wazuh_object” in the framework/wazuh/core/cluster/common.py file. Malicious actors can exploit this vulnerability by injecting harmful JSON…

CISA Includes Erlang SSH and Roundcube Vulnerabilities in Known Exploited Threats Catalog

On June 10, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added two significant security vulnerabilities affecting Erlang/Open Telecom Platform (OTP) SSH and Roundcube to its Known Exploited Vulnerabilities (KEV) catalog due to evidence of active exploitation. The identified vulnerabilities are:

  • CVE-2025-32433 (CVSS score: 10.0): A critical missing authentication flaw in the Erlang/OTP SSH server that could enable an attacker to execute arbitrary commands without proper credentials, potentially leading to unauthenticated remote code execution. (Patched in April 2025 in versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20)

  • CVE-2024-42009 (CVSS score: 9.3): A cross-site scripting (XSS) vulnerability in RoundCube Webmail that may allow a remote attacker to compromise a victim’s email account by exploiting a desanitization flaw in program/actions/mail/show.php. (Fixed in August 2024 in versions 1.6…)

Researcher Uncovers Vulnerability Exposing Phone Numbers Linked to Google Accounts

Jun 10, 2025
Vulnerability / API Security

Google has acted to resolve a security flaw that could allow malicious actors to brute-force recovery phone numbers associated with Google accounts, potentially compromising user privacy and security. Singaporean security researcher “brutecat” identified that the vulnerability exploited a weakness in the company’s account recovery feature. The issue involved a now-obsolete version of the Google username recovery form (“accounts.google[.]com/signin/usernamerecovery”) that lacked sufficient anti-abuse measures to limit excessive requests. This page allows users to check if a recovery email or phone number is linked to a specific display name (e.g., “John Smith”). By bypassing the CAPTCHA rate limits, attackers could rapidly test various permutations of a Google account’s phone number, leading to possible exploitation.

Title: Over 20 Configuration Vulnerabilities Discovered in Salesforce Industry Cloud, Including Five CVEs

Date: June 10, 2025
Category: Vulnerability / SaaS Security

Cybersecurity experts have identified more than 20 configuration vulnerabilities within Salesforce Industry Cloud (formerly known as Salesforce Industries), potentially exposing sensitive data to unauthorized users. These vulnerabilities impact key components such as FlexCards, Data Mappers, Integration Procedures (IProcs), Data Packs, OmniOut, and OmniScript Saved Sessions. “While low-code platforms like Salesforce Industry Cloud simplify application development, neglecting security measures can lead to significant risks,” said Aaron Costello, Chief of SaaS Security Research at AppOmni, in a statement to The Hacker News. If not mitigated, these misconfigurations may enable cybercriminals and unauthorized individuals to access encrypted sensitive information about employees and customers, session data reflecting user interactions with Salesforce Industry Cloud, credentials for Salesforce and other corporate systems, and critical business logic. Following a responsible disclosure process, more information is anticipated.