Between late June 2023 and early August 2023, CrowdStrike detected suspicious activity at a South Asian telecommunications provider linked to the China-based threat group Horde Panda. The adversary used multiple compromised identities to try to embed themselves deeper into the network and move laterally. They initially gained access through the VPN IP range, likely believing that using valid identities from this range would help conceal their activities.
In early July 2023, unusual activity targeting a domain controller (DC) was flagged. This activity came from unexpected sources, including the VPN IP range and a host not familiar to Crowdstrike. The adversary attempted to perform a DCSync attack, a technique where a domain controller is tricked into sharing sensitive information like passwords. However, these attempts were unsuccessful as the compromised accounts lacked the necessary permissions.
Two Horde Panda implants were discovered on the compromised host. These implants, LuaPlug and KEYPLUG, were side-loaded using legitimate executables. LuaPlug established persistence as a service, while KEYPLUG did so as a scheduled task.
In mid-July 2023, Horde Panda attempted to regain access to domain accounts after reacquiring the updated password for a previously compromised account. The adversary searched for Local Administrator Password Solution (LAPS) attributes and objects allowing unrestricted delegation via LDAP queries.