China-linked hackers target US, Canada research using legacy REDCap exploits
Summary
A China-linked threat actor, identified as UNC6508, has been observed targeting research institutions in the US and Canada by exploiting legacy versions of the REDCap data management platform. The attackers injected malware during the platform's upgrade process to establish persistence, harvest credentials, and conduct reconnaissance, aiming to steal sensitive research and defense-related information.
IFF Assessment
This article details a sophisticated espionage campaign by a nation-state-linked actor, posing a significant threat to sensitive research and defense data.
Defender Context
Defenders should be aware of the continued use of legacy software by threat actors for exploitation. Organizations using REDCap, especially those with research or healthcare data, should prioritize patching and ensuring all instances are up-to-date to prevent similar attacks. Monitoring for unusual upgrade processes and file modifications within the REDCap environment is also crucial.