Chinas Earth Baxia Spies Exploit Geoserver to Target APAC Orgs

  /     /     /  
Publicated : 23/11/2024   Category : security


Chinas Earth Baxia Spies Exploit Geoserver to Target APAC Orgs


The APT group uses spear-phishing and a vulnerability in a geospatial data-sharing server to compromise organizations in Taiwan, Japan, the Philippines, and South Korea.



A China-linked cyber-espionage group has attacked Taiwanese government agencies, the Philippine and Japanese military, and energy companies in Vietnam, installing either the Cobalt Strike client or a custom backdoor known as EagleDoor on compromised machines.
Dubbed Earth Baxia by cybersecurity firm Trend Micro, the group primarily uses spear-phishing to compromise victims, but it has also exploited a vulnerability (CVE-2024-36401) in the open source GeoServer software used to distribute geospatial data. The group uses public cloud services for hosting malicious files, and appears not to be connected to other known advance persistent threat (APT) groups, although at least one analysis has found overlap between APT41 — also known as Wicked Panda and Brass Typhoon.
The majority of the groups infrastructure is based in China, and its attacks target nations of Chinese national interest, says Ted Lee, a threat researcher with Trend Micro.
In recent campaigns, their primary targets are government agencies and other critical infrastructures — [such as] telecommunication — in the APAC region, he says. In addition, we also found the decoy documents they used to lure victims are related to some significant conferences or international meetings.
The attack comes as China appears to be ramping up its attacks on governments and companies in the Asia-Pacific region. Operation Crimson Palace,
a collection of three Chinese APT groups working in concert
, has successfully compromised more than a dozen targets in Southeast Asia, including government agencies. In another recent case, a Chinese espionage group used a malicious fake document in an attempt to
compromise systems at the US-Taiwan Business Council
, prior to its 23rd US-Taiwan Defense Industry Conference.
The latest attacks primarily employ spear-phishing, either sending a file or a link, using regional conferences as a lure.
Based on the collected phishing emails, decoy documents, and observations from incidents, it appears that the targets are primarily government agencies, telecommunication businesses, and the energy industry in the Philippines, South Korea, Vietnam, Taiwan, and Thailand, Trend Micro
stated in its analysis
. Notably, we also discovered a decoy document written in simplified Chinese, suggesting that China is also one of the impacted countries. However, due to limited information, we cannot accurately determine which sectors in China are affected.
In a limited number of cases, Trend Micro has noticed that the threat group uses a known flaw in the open source
geospatial sharing service GeoServer
to gain a beachhead within an organization. The GeoServer attacks appear to have started at least two months ago, with
the Shadowserver Foundation noting
that the attack first appeared in its logs on July 9. The Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to
its Known Exploited Vulnerability (KEV) catalog on July 15
.
Whether it uses a vulnerability or spear-phishing, the next step is to use one of two techniques, dubbed GrimResource and AppDomainManager injection, to further compromise targeted systems.
Discovered in June, GrimResource
uses a cross-site scripting (XSS) flaw to execute JavaScript on the victims machine and, together with a second exploit, gain arbitrary code execution. AppDomainManager injection is an older — but still not widely known — technique that can be used to load run malicious code and is starting to be abused by state-backed groups,
NTT Security stated in an analysis (via Google Translate)
.
Since this method is not widely known at this time, it is clear that it is a unilateral advantage for the attackers, the translated analysis stated. As a result, there is concern about the possibility that such attacks will expand in the future.
Compromise in any case leads either to a custom backdoor known as EagleDoor, or the installation of an implant by a pirated version of the red-team tool
Cobalt Strike
, whose use is common among cybercriminal and cyber-espionage groups because of its powerful lateral movement and command-and-control (C2) capabilities.
In addition, the commonness of the tool means investigators gain no attribution information from its use, Trend Micros Lee says.
While its use can be a red flag, attackers often modify its components to evade detection, he says. On the other hand, it’s difficult for analysts to finish group attribution based on Cobalt Strike because it is a shared tool used by many different groups.
The Cobalt Strike component drops two executables, Hook and Eagle, which make up the EagleDoor backdoor, which allows communication over DNS, HTTP, TCP, and Telegram. The commands are used to exfiltrate data from the victims system and installing additional payloads, Trend Micro stated in its analysis.

Last News

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Chinas Earth Baxia Spies Exploit Geoserver to Target APAC Orgs