Headline
APT Hackers Targeting Industrial Control Systems with ShadowPad Backdoor
Entities located in Afghanistan, Malaysia, and Pakistan are in the crosshairs of an attack campaign that targets unpatched Microsoft Exchange Servers as an initial access vector to deploy the ShadowPad malware. Russian cybersecurity firm Kaspersky, which first detected the activity in mid-October 2021, attributed it to a previously unknown Chinese-speaking threat actor. Targets include
Entities located in Afghanistan, Malaysia, and Pakistan are in the crosshairs of an attack campaign that targets unpatched Microsoft Exchange Servers as an initial access vector to deploy the ShadowPad malware.
Russian cybersecurity firm Kaspersky, which first detected the activity in mid-October 2021, attributed it to a previously unknown Chinese-speaking threat actor. Targets include organizations in the telecommunications, manufacturing, and transport sectors.
“During the initial attacks, the group exploited an MS Exchange vulnerability to deploy ShadowPad malware and infiltrated building automation systems of one of the victims,” the company said. “By taking control over those systems, the attacker can reach other, even more sensitive systems of the attacked organization.”
ShadowPad, which emerged in 2015 as the successor to PlugX, is a privately sold modular malware platform that has been put to use by many Chinese espionage actors over the years.
While its design allows users to remotely deploy additional plugins that can extend its functionality beyond covert data collection, what makes ShadowPad dangerous is the anti-forensic and anti-analysis technique incorporated into the malware.
“During the attacks of the observed actor, the ShadowPad backdoor was downloaded onto the attacked computers under the guise of legitimate software,” Kaspersky said. “In many cases, the attacking group exploited a known vulnerability in MS Exchange, and entered the commands manually, indicating the highly targeted nature of their campaigns.”
Evidence suggests that intrusions mounted by the adversary began in March 2021, right around the time the ProxyLogon vulnerabilities in Exchange Servers became public knowledge. Some of the targets are said to have been breached by exploiting CVE-2021-26855, a server-side request forgery (SSRF) vulnerability in the mail server.
Besides deploying ShadowPad as “mscoree.dll,” an authentic Microsoft .NET Framework component, the attacks also involved the use of Cobalt Strike, a PlugX variant called THOR, and web shells for remote access.
Although the final goals of the campaign remain unknown, the attackers are believed to be interested in long-term intelligence gathering.
“Building automation systems are rare targets for advanced threat actors,” Kaspersky ICS CERT researcher Kirill Kruglov said. “However, those systems can be a valuable source of highly confidential information and may provide the attackers with a backdoor to other, more secured, areas of infrastructures.”
Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.
Related news
Cyber espionage groups associated with China have been linked to a long-running campaign that has infiltrated several telecom operators located in a single Asian country at least since 2021. "The attackers placed backdoors on the networks of targeted companies and also attempted to steal credentials," the Symantec Threat Hunter Team, part of Broadcom, said in a report shared with The Hacker News
New research also analyzes the commoditization of adversary-in-the-middle attacks, JavaScript obfuscation in exploit kits, and a malware family with Gothic Panda ties.
Hello everyone! This episode will be about the new hot twenty vulnerabilities from CISA, NSA and FBI, Joint cybersecurity advisory (CSA) AA22-279A, and how I analyzed these vulnerabilities using my open source project Vulristics. Alternative video link (for Russia): https://vk.com/video-149273431_456239105 Americans can’t just release a list of “20 vulnerabilities most commonly exploited in attacks on […]
Categories: Exploits and vulnerabilities Categories: News Tags: Chinese APT Tags: advanced persistent threat Tags: APT Tags: CISA Tags: NSA Tags: FBI Tags: security advisory CISA, the NSA and the FBI have compiled a list of the vulnerabilities targeted by state-sponsorted threat actors from China. (Read more...) The post Chinese APT's favorite vulnerabilities revealed appeared first on Malwarebytes Labs.
By Waqas Going by the name of Witchetty; the hacker group is targeting countries in Africa and the Middle East. This is a post from HackRead.com Read the original post: Chinese Hackers Hiding Malware in Windows Logo
APT group Witchetty (aka LookingFrog) has exploited the ProxyShell and ProxyLogon vulnerabilities to gain initial access and deploy new custom cyber tools against government agencies and a stock exchange.
A slew of Microsoft Exchange vulnerabilities (including ProxyLogon) fueled a surge in attacks targeting software flaws in 2021, but the trend has continued this year.
Hello everyone! This is the second episode of Vulnerability Management news and publications. In fact, this is a collection of my posts from the avleonovcom and avleonovrus telegram channels. Therefore, if you want to read them earlier, subscribe to these channels. Alternative video link (for Russia): https://vk.com/video-149273431_456239097 What’s in this episode: Microsoft released a propaganda […]
While attackers continue to rely on older, unpatched vulnerabilities, many are jumping on new vulnerabilities as soon as they are disclosed.
By Nate Pors and Terryn Valikodath. Executive summary In a recent malspam campaign delivering the Qakbot banking trojan, Cisco Talos Incident Response (CTIR) observed the adversary using aggregated, old email threads from multiple organizations that we assess were likely harvested during the 2021 ProxyLogon-related compromises targeting vulnerable Microsoft Exchange servers. This campaign relies on external thread hijacking, whereby the adversary is likely using a bulk aggregation of multiple organizations’ harvested emails to launch focused phishing campaigns against previously uncompromised organizations. This differs from the more common approach to thread hijacking, in which attackers use a single compromised organization’s emails to deliver their threat. This many-to-one approach is unique from what we have generally observed in the past and is likely an indirect effect of the widespread compromises and exfiltration of large volumes of email from 2020 and 2021. Understandi...
The previously unknown state-sponsored group is compromising industrial targets with the ShadowPad malware before burrowing deeper into networks.
This guidance will help customers address threats taking advantage of the recently disclosed Microsoft Exchange Server on-premises vulnerabilities CVE-2021-26855, CVE-2021-26858, CVE-2021-26857, and CVE-2021-27065, which are being exploited. We strongly urge customers to immediately update systems. Failing to address these vulnerabilities can result in compromise of your on-premises Exchange Server and, potentially, other parts of your internal network.
We have been actively working with customers through our customer support teams, third-party hosters, and partner network to help them secure their environments and respond to associated threats from the recent Exchange Server on-premises attacks. Based on these engagements we realized that there was a need for a simple, easy to use, automated solution that would meet the needs of customers using both current and out-of-support versions of on-premises Exchange Server.
Update March 15, 2021: If you have not yet patched, and have not applied the mitigations referenced below, a one-click tool, the Exchange On-premises Mitigation Tool is now our recommended path to mitigate until you can patch. Microsoft previously blogged our strong recommendation that customers upgrade their on-premises Exchange environments to the latest supported version.
On March 2nd, we released several security updates for Microsoft Exchange Server to address vulnerabilities that are being used in ongoing attacks. Due to the critical nature of these vulnerabilities, we recommend that customers protect their organizations by applying the patches immediately to affected systems. The vulnerabilities affect Exchange Server versions 2013, 2016, and 2019, while Exchange Server 2010 is also being updated for defense-in-depth purposes.