28 June 2022

APT group used ProxyLogon vulnerability to hack building automation systems


APT group used ProxyLogon vulnerability to hack building automation systems

State-sponsored threat actor used the infamous ProxyLogon vulnerability to breach building automation systems of organizations in the industrial and telecommunications sectors in Asia. The hackers used the flaw to plant ShadowPad backdoor in organizations’ networks and gain access to more secured areas in these networks.

ProxyLogon is a critical vulnerability in Microsoft Exchange (CVE-2021-26855), which allows a remote attacker to execute arbitrary code on the affected system. A hacker can send specially crafted HTTP request to the Microsoft Exchange OWA interface, upload arbitrary file on the server and execute it. While Microsoft released a fix on March 03, 2021, a lot of systems remained unpatched.

According to a recent publication by Kaspersky ICS CERT, in October 2021, the researchers spotted an active malicious campaign aimed at ICS systems in Pakistan.

“In mid-October 2021 Kaspersky ICS CERT researchers uncovered an active ShadowPad backdoor infection on industrial control systems (ICS) in Pakistan. Infected machines included engineering computers in building automation systems that are part of the infrastructure of a telecommunications company,” reads the report.

During the investigation researchers uncovered a larger-scale activity of the Chinese-speaking threat actor in the telecommunication company’s network and also identified other victims of the campaign. They found malicious artifacts in organizations in the industrial and telecommunications sectors in both Pakistan and Afghanistan.

This malicious campaign allegedly began in March 2021. At this point, the researchers can’t tell what is the ultimate goal of the attacker. They believe it could be the data harvesting.

According to the researchers, after breaching engineering computers within organization’s building automation system, the treat actor compromised other parts of its infrastructure, including information security systems.

Apart the ShadowPad backdoor, in this campaign the Chinese hackers also used other malware and tools, including the CobaltStrike framework, the PlugX backdoor, web shells, scripts for credential theft, and the open-source nextnet network scanner.

The researchers believe, that “the threat actor will strike again”, and they “will find new victims in different countries.”

Back to the list

Latest Posts

Argentina's Judiciary of Cordoba targeted with ransomware

Argentina's Judiciary of Cordoba targeted with ransomware

The incident described as “worst attack on public institutions in history” impacted the agency’s website, digital services and databases.
16 August 2022
Microsoft disrupts Russian espionage hacker group targeting NATO countries and Ukraine

Microsoft disrupts Russian espionage hacker group targeting NATO countries and Ukraine

The group’s targets include defense and intelligence consulting companies, NGOs, IGOs, and higher education institutions.
16 August 2022
Russia-linked Gamaredon is continuing to target Ukrainian orgs with info-stealers

Russia-linked Gamaredon is continuing to target Ukrainian orgs with info-stealers

In the observed campaign the attackers leveraged a self-extracting 7-Zip file, which was downloaded via the system’s default browser.
15 August 2022