State-sponsored threat actor used the infamous ProxyLogon vulnerability to breach building automation systems of organizations in the industrial and telecommunications sectors in Asia. The hackers used the flaw to plant ShadowPad backdoor in organizations’ networks and gain access to more secured areas in these networks.

ProxyLogon is a critical vulnerability in Microsoft Exchange (CVE-2021-26855), which allows a remote attacker to execute arbitrary code on the affected system. A hacker can send specially crafted HTTP request to the Microsoft Exchange OWA interface, upload arbitrary file on the server and execute it. While Microsoft released a fix on March 03, 2021, a lot of systems remained unpatched.

According to a recent publication by Kaspersky ICS CERT, in October 2021, the researchers spotted an active malicious campaign aimed at ICS systems in Pakistan.

“In mid-October 2021 Kaspersky ICS CERT researchers uncovered an active ShadowPad backdoor infection on industrial control systems (ICS) in Pakistan. Infected machines included engineering computers in building automation systems that are part of the infrastructure of a telecommunications company,” reads the report.

During the investigation researchers uncovered a larger-scale activity of the Chinese-speaking threat actor in the telecommunication company’s network and also identified other victims of the campaign. They found malicious artifacts in organizations in the industrial and telecommunications sectors in both Pakistan and Afghanistan.

This malicious campaign allegedly began in March 2021. At this point, the researchers can’t tell what is the ultimate goal of the attacker. They believe it could be the data harvesting.

According to the researchers, after breaching engineering computers within organization’s building automation system, the treat actor compromised other parts of its infrastructure, including information security systems.

Apart the ShadowPad backdoor, in this campaign the Chinese hackers also used other malware and tools, including the CobaltStrike framework, the PlugX backdoor, web shells, scripts for credential theft, and the open-source nextnet network scanner.

The researchers believe, that “the threat actor will strike again”, and they “will find new victims in different countries.”