Security researchers have recently uncovered a connection between the RedGolf hacking group and a series of attacks targeting Fortinet firewall zero-days and utilizing customized cyber attack tools. This revelation sheds light on the inner workings and priorities of this sophisticated threat actor, thanks to the exposure of a misconfigured server associated with the KeyPlug malware—a key component of RedGolf’s operations. This brief window into their activities provided a rare opportunity for security analysts to gain insights into the tools and tactics employed by this advanced adversary.
The incident came to the forefront when a server, operational for less than a day, was momentarily accessible to the public internet. Security researchers leveraged Hunt.io’s AttackCapture™ module to index and preserve the server’s contents before access was restricted. Their analysis revealed a treasure trove of cyber attack scripts and operational tools with a specific focus on Fortinet devices and enterprise network reconnaissance. Among the findings were specialized exploit scripts targeting Fortinet firewalls and VPNs, a PHP-based webshell for executing encrypted payloads, and a set of network scanning utilities aimed at authentication and development portals belonging to a major Japanese corporation, Shiseido.
The tools extracted from the server included capabilities for post-exploitation activities and remote session management, showcasing the meticulous planning and execution typical of state-linked APT groups. Further examination of the exposed files unraveled a methodical approach involving reconnaissance scripts, Fortinet-specific exploitation tools, Websocket CLI attacks, sophisticated webshell and reverse shell implants, and session control binaries. The infrastructure hosting these tools, particularly IP addresses associated with Vultr-hosted servers in Japan and Singapore, has been linked back to RedGolf, a group closely aligned with China’s APT4.
RedGolf’s utilization of the KeyPlug malware framework in global cyber campaigns has been noted in the past. The combination of reconnaissance data, target lists, and exploit automation tools found on the server paints a vivid picture of the group’s coordinated and multi-stage attack planning. This incident serves as a stark reminder of the challenges faced by defenders in combating sophisticated cyber adversaries.
In light of these developments, security experts emphasize the importance of prompt patching, vigilant monitoring for automation, and the hardening of internet-facing assets to mitigate the risks posed by such threats. As cyber adversaries continue to evolve and refine their tactics, organizations must remain vigilant and proactive in their defense strategies. These glimpses into attacker operations provide valuable insights for security teams, enabling them to better understand the evolving landscape of cyber espionage and enhancing their ability to detect and respond to emerging threats effectively.