Full Report
SentinelOne revealed details of two new intrusion attempts by China-nexus actors
Analysis Summary
# Threat Actor: PurpleHaze (Associated Chinese Nexus Actors)
## Attribution & Identity
* **Primary Association:** China-nexus actors, suspected Chinese cyber-espionage.
* **Known Aliases/Overlaps:** Linked operationally to **APT15** (also known as Ke3Chang and Nylon Typhoon) and **UNC5174** (described as an initial access broker and contractor for the Chinese government).
* **Infrastructure Overlap:** Infrastructure used in the intrusion is tracked as part of an Operational Relay Box (ORB) network used by several suspected Chinese cyber-espionage actors.
## Activity Summary
The article details warnings issued by SentinelOne regarding two related operations carried out by these actors starting around **October 2024** (referred to as the "PurpleHaze" operation).
* **Targeting Vendors:** Cybersecurity vendors were identified as a growing target.
* **Reconnaissance:** The initial activity involved "remote connections to internet-facing SentinelOne servers for reconnaissance."
* **Broader Campaign:** The same campaign targeted other entities, including a South Asian government entity, implying broader intelligence gathering goals.
## Tactics, Techniques & Procedures
* **Initial Access:** Exploitation of chained Ivanti zero-day vulnerabilities: **CVE-2024-8963** and **CVE-2024-8190**.
* **Lateral Movement/Tooling:** Deployment of the **GOREshell backdoor**.
* **Tooling Usage:** Use of publicly available tools developed by the security research community, **The Hacker’s Choice (THC)**.
* **Reconnaissance:** Remote connections to target internet-facing infrastructure.
* **MITRE ATT&CK IDs:** Not explicitly provided in the text.
## Targeting
* **Sectors:** Cybersecurity vendors; government entities (specifically noted: a South Asian government entity).
* **Geography:** South Asia (victim example); operations linked to Chinese actors.
* **Victims:** SentinelOne (for reconnaissance); unidentified South Asian government entity.
## Tools & Infrastructure
* **Malware Families Used:** **GOREshell backdoor**.
* **Infrastructure (C2, domains, IPs):** Use of an **Operational Relay Box (ORB) network**.
## Implications
The threat actors demonstrate a high degree of sophistication by actively targeting cybersecurity vendors—a crucial step for supply chain compromise. The use of chained, likely undisclosed, vulnerabilities (Ivanti zero-days) suggests dedicated state-level resources. The observed activity indicates intelligence gathering (reconnaissance followed by payload delivery) against critical sectors and government entities.
## Mitigations
* Immediate patching and mitigation efforts for Ivanti vulnerabilities **CVE-2024-8963** and **CVE-2024-8190**.
* Enhanced monitoring of remote connections targeting internet-facing security infrastructure (e.g., management servers).
* Thorough malware analysis focused on detecting the **GOREshell** backdoor.
* Industry collaboration and transparency regarding compromise attempts against security tooling providers.