China-Linked UAT-7810 Expands ORB Network With New LONGLEASH Malware

Author: Ethan Winters
Role: Lead DevSecOps Engineer, SecureOps.io | 18 years in SecOps, Cloud & Network Defense
Certifications: CISSP, GCIH, CISM | Notable Projects: FIN7/Trickbot Response, Fortune 100 Incident Lead
Profile: LinkedIn
Last Updated: 2024-06-12 | Changelog: Added CVE links, MITRE mapping, real-world case notes
Defending Against ORB/Relay Networks and “UAT-7810”-Style Campaigns: Practical Steps for Developers
**Content Warning:** This post contains blunt, technical language and no-fluff critique. All threat actor and malware names (“UAT-7810”, “LONGLEASH”, “ORB”, “LapDogs”) are illustrative or anonymized, unless referenced with cited public advisories. Nation-state attribution is based on available public evidence and linked sources.Immediate Triage: 10-Minute Checklist
For those who value their Friday evening:
- Scan for exposed SSH/Telnet:
nmap -p 22,23 <your-public-IP-range> - Audit new authorized_keys:
grep -r 'ssh-rsa' /home/*/.ssh/authorized_keys | diff --old /backup - Review inbound/outbound NAT/firewall rules:
Look for new port forwards, “temporary” NATs. - Block suspicious egress domains/IPs:
Reference known C2 feeds (CISA, OISF). - Rotate privileged account keys immediately:
Especially service accounts and network device credentials.
Why Are Edge Devices Still the Softest Target?
Case note: In a Q4 2023 incident (anonymized, Fortune 500), attacker gained initial access via default credentials on a legacy edge firewall confirmed by SSH auth logs and SIEM timeline.
The team had classified it as “test only,” but live traffic said otherwise.
CISA has repeatedly issued advisories (CISA AA23-143A) showing attackers exploiting weak IoT and network gear configs.
The easiest wins for threat actors:
- Default device creds (e.g., “admin:admin” or “admin:password” left unchanged — see CISA guidance)
- Unpatched firmware (Cisco ASA, Juniper, F5 BIG-IP, etc.)
- SSH keys exposed in public repos (GitHub’s recent Security Digest)
- Flat network architecture: Core business and IoT on same VLAN
The Real Architecture Nightmare: Relay Networks Repurposed
“ORB” relay botnets are just chained proxies abusing devices with weak configs.
Technical parallel: Like DNS tunneling, these pivot through trusted infra to exfiltrate, but over HTTPS/SSH.
- Misconfigured reverse proxy rules:
Allowing open forwarding, often with unrestricted upstreams (see OWASP Reverse Proxy Guide) - Insecure container configs:
CVE Example: CVE-2019-5736 (runc container escape)
Or, running containers with--privileged, hostPath mounts exposing root filesystem (Docker documentation) - Lack of segmentation:
East-west traffic, no VLAN or subnet isolation
MITRE ATT&CK Mapping
- Initial Access: Default credential abuse (T1078)
- Persistence: SSH authorized_keys planted (T1098), scheduled tasks (T1053)
- Lateral Movement: SMB/SSH relay (T1021)
- Exfiltration: Data out via HTTPs/SSH relay (T1041)
Actionable Incident Playbook
Immediate (0–4h):
- Isolate suspected hosts from internal & external networks
- Revoke compromised SSH keys; rotate service account creds
- Block outbound traffic to known C2 IPs/ASNs (EmergingThreats C2 ASN list)
- Capture full memory & disk images for forensics
- Preserve all log sources (resist auto-rotation)
- Notify key stakeholders (IR team, CISO)
Short-Term (4–48h):
- Enforce password rotation on all networked devices
- Patch edge routers/firewalls to latest firmware (Cisco ASA Update Guide)
- Search logs for unauthorized privileged account changes
- Audit network segmentation, split high-value targets onto isolated VLANs
Long-Term (>48h):
- Automate firmware/patch management (CI/CD integration)
- Migrate to SSH CA-based key signing (OpenSSH CA guidance)
- Enable east-west anomaly detection (see below)
- Invest in Zero Trust architecture (NIST SP800-207, Zero Trust)
Detection Guidance: Practical Queries & Templates
Splunk Query (Proxy Relay Detection):
index=network sourcetype=firewall
| stats count by src_ip, dest_ip, dest_port
| where dest_port=443 OR dest_port=22
| search unusual src_ip!=internal_ranges
SIEM Alert Template:
- Log source: Firewall, Netflow, ELB logs
- Fields: Outbound connections to rare ASNs/domain, excessive session count (>100/day), new SSH connections
- Suggested threshold: >5MB outbound traffic in <10min, not seen before
Zeek/Suricata Rule Example:
- Alert on long-lived SSH sessions (>1hr) from edge devices
- Detect unsigned TLS client certificates, rare User-Agent values
YARA Process Indicators:
- Match on suspicious SSH/HTTP relay binaries, e.g.,
Rule: “Suspicious SSH tunnel process spawned by non-admin user” - Add YARA as additional endpoint control (YARA doc)
Indicators of Compromise (IOC): What to Hunt
- Suspicious outbound IPs/ASNs (reference CISA IOC feeds)
- Abnormal HTTP User-Agent strings (“curl/7.68.0”, unusual device agents)
- Unexpected SSH keys in authorized_keys, new local users with sudo rights
- Long-lived reverse SSH tunnels (
sshdprocess with-Ror-Lflags) - New service account creation not tracked via IAM/SIEM
- If unable to publish real IOCs (client sensitivity):
“Search for generic patterns—unexpected outbound encrypted sessions, extreme session durations, connections to rare destination ASNs.”

Hardening Checklist: No-Nonsense Steps
- Inventory your public IPs & exposed services:
Usemasscanor vendor asset tools. Document, don’t just “scan once.” - Enforce strong passwords + rotate device creds:
Set minimum entropy + regular rotation schedule (NIST SP800-63B) - Disable legacy protocols:
Remove TLS 1.0/1.1; follow Cisco FXOS TLS guidance. - Automate firmware updates / enforce scheduled patching:
Juniper Security Advisories
F5 Firmware Updates - SSH key management best practices:
Use CA to sign keys (OpenSSH CA docs), restrict by allowed IPs, enable MFA - Management-plane network isolation:
Isolate device administration to specific VLAN/access control (Cisco VLAN guide) - Logging/monitoring baseline:
Capture netflow, pcap, ELB logs, SSH auth logs. Minimum retention:- Small org: 90 days
- Mid-market: 180 days
- Enterprise: 365 days
Concrete Config Examples & Quick Remediation
Bad: SSH exposed on WAN, password auth enabled, no 2FA.
Fix:
- Disable password auth: Set
PasswordAuthentication noinsshd_config - Require key-based auth: whitelist only signed keys by CA
- Restrict management access: Allowlist IPs via firewall, dedicate management VLAN
- Enable MFA: Integrate with Authy/Duo, or vendor-native 2FA
Resource links:
Detection Gotchas & Countermeasures
Why do ORB/relay networks evade detection?
- Encrypted tunnels over common ports:
Hard to filter without deep inspection - Legit cloud infrastructure abused for C2:
Bypasses IP-based blocking, blends in with real workloads - Low-and-slow exfil patterns:
<1GB/day, invisible if only alerting on spikes
Countermeasures:
- TLS fingerprinting: JA3/JA3S for client/server heuristics (JA3 docs)
- DNS anomaly detection: Track rare domain lookups, high entropy aliases
- Session duration alerts: Find abnormally long SSH/HTTPS connections from edge
Risk & Impact Framing
- Small business:
Focus on asset inventory, password rotation, patch manual firmware quarterly (~4 hours, low cost) - Mid-market:
Automate patching, enable VLAN isolation, tighter audit controls (requires team buy-in, ~16 hours, moderate) - Enterprise:
Full Zero Trust rollout, CA-based SSH key management, SIEM automation (weeks/months, significant engineering)
Success Story: Blast Radius Reduction in Practice
Anonymous case: Logistics firm, 2023. Implemented VLAN segmentation and SSH key rotation.
Result: Attacker initial foothold isolated before lateral movement; exfil volume limited to 11MB, detected in 6hr (down from ~48hr prior).
IR validated via netflow and firewall logs. More stubborn persistence attempts blocked by session duration alerting.
References
- CISA Alerts & Advisories
- NIST SP800-53 Security Controls
- MITRE ATT&CK
- SANS Incident Response Playbooks
- Cisco ASA Security Advisories
- F5 Security Updates
When You’re Owned: Objective Signals
- Unexplained outbound TLS to rare IPs
- Unexpected new scheduled tasks (
cron,schtasks) - Reverse SSH tunnels from edge hosts
- New privileged accounts
- Outbound transfers exceeding historical baseline (>500MB in one day from atypical device)
If you spot two or more, you’re likely compromised. Don’t panic—call for professional IR (SecureOps.io Incident Response), preserve logs, and keep execs updated.
Cynical Kicker
Vendors sell “AI” detection and “unhackable” hardware, but attackers keep winning by abusing what teams ignore.
Ask yourself: When was the last time you audited your device configs or rotated your SSH keys—not just the ones you can see, but the ones buried in CI/CD scripts?
Tomorrow’s breach is just a Tuesday away.