Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Exchange Severs. Show all posts

Chinese Hackers Deploy Shadowpad Backdoor to Target Industrial Control Systems in Asia

 

ShadowPad, a sophisticated and modular backdoor is back in action. Russian cybersecurity firm Kaspersky has unearthed a series of assaults that targeted unpatched Microsoft Exchange servers in multiple Asian nations. 

Researchers initially spotted the ShadowPad backdoor on industrial control systems (ICS) at a telecoms firm in Pakistan, where the hackers targeted engineering computers in building automation systems. Further investigation uncovered wide activity on the network, along with multiple organizations targeted in Pakistan, Afghanistan, and Malaysia. 

"During the initial attacks, the group exploited an MS Exchange vulnerability to deploy ShadowPad malware and infiltrated building automation systems of one of the victims," Kaspersky ICS CERT researcher Kirill Kruglov stated. "By taking control over those systems, the attacker can reach other, even more sensitive systems of the attacked organization." 

"Building automation systems are rare targets for advanced threat actors. However, those systems can be a valuable source of highly confidential information and may provide the attackers with a backdoor to other, more secured, areas of infrastructures." 

Kaspersky, which first detected the activity in mid-October 2021, attributed it to a previously unknown Chinese-speaking threat actor. However, traces of the attacks on compromised devices indicates that the malicious campaign began in March 2021, right around the time the ProxyLogon vulnerabilities in Exchange Servers became public knowledge. 

Besides deploying ShadowPad as "mscoree.dll," an authentic Microsoft .NET Framework component, the attacks also involved the use of Cobalt Strike, a PlugX variant called THOR, and web shells for remote access. Although the ultimate goal of the campaign remains unknown, the hackers are believed to be interested in long-term intelligence gathering. 

ShadowPad, which emerged in 2015 as the successor to PlugX, is a privately sold modular malware platform that has been leveraged by multiple Chinese espionage actors over the years. While its design allows users to remotely deploy additional plugins that can extend its functionality beyond covert data collection, what makes ShadowPad dangerous is the anti-forensic and anti-analysis techniques incorporated into the malware. 

ShadowPad gained popularity in 2017 when it was employed in software supply chain assaults involving CCleaner, NetSarang, and the ASUS Live Update utility. The BRONZE ATLAS threat group was blamed for these campaigns. A Microsoft complaint from 2017 and DOJ indictments published in 2020 provide more insights on ShadowPad's relationship to BRONZE ATLAS.