Friend
Professional
- Messages
- 2,653
- Reaction score
- 849
- Points
- 113
The hacked GeoServer paved the way for the secrets of five states.
In July of this year, Trend Micro revealed a cyberattack on Taiwanese government agencies, allegedly associated with the Chinese group Earth Baxia. The attackers exploited a newly discovered vulnerability in GeoServer (CVE-2024-36401, CVSS: 9.8) to infiltrate systems not only in Taiwan but also in other countries in the Asia-Pacific region, such as South Korea, Vietnam, Thailand, and the Philippines.
Trend Micro experts reported that hackers used phishing techniques using fake documents and letters to primarily target government agencies, telecommunications companies and the energy sector. It is noteworthy that among the found baits were documents in simplified Chinese, which indicates a possible spread of the attack to China, although there is no exact information about this yet.
The main goal of the attacks was to install the Cobalt Strike malware and a previously unknown backdoor named EAGLEDOOR. This backdoor is used to collect information and deliver additional malicious components. The attackers used the GrimResource and AppDomainManager methods to download and execute malware on the compromised devices, covering up their use of fake files embedded in ZIP archives.
Of particular note is the fact that the Japanese company NTT Security Holdings previously detected similar attacks using the same methods on facilities in Taiwan, the Philippines and Vietnam. This suggests a connection between Earth Baxia and another known group, APT41.
Domains that spoofed popular cloud services such as Amazon Web Services and Microsoft Azure were used to manage the infected systems. The operations were accompanied by data transmission through several protocols, including DNS, HTTP, and Telegram, which indicates the high level of training of the attackers.
According to the researchers, the goal of the campaign was to compromise the infrastructures for a long time with further data theft. This incident clearly demonstrates that in the modern world, cybersecurity goes beyond the boundaries of individual states. Only through close international cooperation and continuous improvement of protective measures can such sophisticated and large-scale threats be countered.
Source
In July of this year, Trend Micro revealed a cyberattack on Taiwanese government agencies, allegedly associated with the Chinese group Earth Baxia. The attackers exploited a newly discovered vulnerability in GeoServer (CVE-2024-36401, CVSS: 9.8) to infiltrate systems not only in Taiwan but also in other countries in the Asia-Pacific region, such as South Korea, Vietnam, Thailand, and the Philippines.
Trend Micro experts reported that hackers used phishing techniques using fake documents and letters to primarily target government agencies, telecommunications companies and the energy sector. It is noteworthy that among the found baits were documents in simplified Chinese, which indicates a possible spread of the attack to China, although there is no exact information about this yet.
The main goal of the attacks was to install the Cobalt Strike malware and a previously unknown backdoor named EAGLEDOOR. This backdoor is used to collect information and deliver additional malicious components. The attackers used the GrimResource and AppDomainManager methods to download and execute malware on the compromised devices, covering up their use of fake files embedded in ZIP archives.
Of particular note is the fact that the Japanese company NTT Security Holdings previously detected similar attacks using the same methods on facilities in Taiwan, the Philippines and Vietnam. This suggests a connection between Earth Baxia and another known group, APT41.
Domains that spoofed popular cloud services such as Amazon Web Services and Microsoft Azure were used to manage the infected systems. The operations were accompanied by data transmission through several protocols, including DNS, HTTP, and Telegram, which indicates the high level of training of the attackers.
According to the researchers, the goal of the campaign was to compromise the infrastructures for a long time with further data theft. This incident clearly demonstrates that in the modern world, cybersecurity goes beyond the boundaries of individual states. Only through close international cooperation and continuous improvement of protective measures can such sophisticated and large-scale threats be countered.
Source
