Google Threat Intelligence Group says China-linked UNC6508 targeted exposed REDCap servers to deploy the custom InfiniteRed malware and quietly steal sensitive data from a North American medical institution. The campaign lasted more than a year and used novel email-based exfiltration through a legitimate compliance feature to send matching records to a Gmail account. #UNC6508 #InfiniteRed #REDCap
Keypoints
- UNC6508 targeted exposed REDCap servers in a long-running espionage campaign.
- The attackers deployed the custom InfiniteRed malware after initial compromise.
- InfiniteRed included persistence, credential harvesting, and backdoor functionality.
- The group used a legitimate compliance rule feature to exfiltrate data by email.
- Google advised upgrading REDCap, removing legacy instances, and enabling MFA and DBSC.