Chinese hackers breach REDCap servers, steal medical research Data Breach

“Their research areas span a broad spectrum of modern medicine, from molecular discovery and clinical drug trials to state-level public health policy and military readiness.” REDCap administrators are recommended to upgrade their instances to the latest available versions and remove legacy deployments. The backdoor, which receives commands via HTTP cookies, provides UNC6508 with the following abilities: - Execute shell commands - Upload files to the REDCap server - Download files from the server - Run arbitrary SQL queries - Retrieve stolen credentials - Delete stolen credential records - Return system and database information One notable technique in the campaign, and new for China-linked threat actors, is the use of the legitimate ‘content compliance rules’ feature that is present in cloud-based enterprise productivity tools, to exfiltrate data over email.

The Breach

Test every layer before attackers do Security teams log 54% of successful attacks and alert on just 14%.

Further details indicate that google Threat Intelligence Group (GTIG) researchers attribute the attacks to a threat actor tracked as UNC6508, who remained undetected for more than a year in the victim network.

The REDCap platform is widely used in medical and scientific research to build and manage databases and surveys that comply with regulations for medical and scientific research.

GTIG says that three months after the initial compromise, the attackers deployed the ‘Infinitered’ custom malware designed specifically for REDCap systems, and hid its components by trojanizing the server’s system files.

“Their research areas span a broad spectrum of modern medicine, from molecular discovery and clinical drug trials to state-level public health policy and military readiness.”, Spokesperson

Affected Data & Victims

A China-linked espionage campaign targeted exposed REDCap servers to deploy the InfiniteRed malware and steal sensitive data from a medical institution in North America. Although the researchers couldn’t determine the exact initial compromise vector, they observed UNC6508 probing older, vulnerable versions of REDCap. Google notified multiple organizations in the U.S.

GTIG observed a high level of operational security across this campaign, including the use of US-based residential proxy infrastructure, compromised routers, VPS, credential replay, and dedicated infrastructure for data exfiltration.

What Victims Should Do

1. Infinitered consists of three components: a persistence/update module, a credential harvester, and a backdoor.

2. Any matches are then automatically sent as a blind carbon copy (BCC) to ‘BebitaBarefoot774@gmail.com,’ now disabled by Google.

Analysis

Organizations should review their exposure and apply available mitigations promptly.

Affected individuals should monitor their financial and online accounts for suspicious activity and consider enrolling in any offered credit monitoring or identity protection services. Organizations must conduct a thorough post-incident review to identify the root cause and gaps in security controls that allowed the breach to occur. Regulatory notification requirements should be assessed based on jurisdiction and the types of data involved, with legal counsel engaged early in the process. Communications teams should prepare transparent disclosure messaging for customers, partners, and regulators. Beyond the immediate response, organizations should update their data handling policies, encryption standards, and access controls to reduce the likelihood of recurrence. Third-party risk assessments may also be warranted if the breach originated with a vendor or service provider.