Unpatched Microsoft Exchange servers in various Asian countries were the target of an attack campaign discovered by Russian cybersecurity firm Kaspersky.
The threat actors exploited the above vulnerabilities to gain access to the industrial control systems (ICS) of telecommunications companies in Pakistan and Afghanistan, as well as a logistics and transportation company in Malaysia, according to a company advisory released on Monday.
In October 2021, Kaspersky discovered that hackers were exploiting the CVE-2021-26855 vulnerability in Microsoft Exchange to gain access to user data. In spite of this, signs of the attacks on the affected systems appear to date back to March of this year.
“During the investigation, researchers uncovered larger-scale activity by the threat actor in the network of the telecommunications company and also identified other victims of the campaign,”
At various points in this hacking campaign, a legitimate executable file called AppLaunch.exe was used to launch the ShadowPad backdoor on victims’ computers, according to reports.
A legitimate OLE-COM object viewing application, OleView, would then be hijacked by attackers to launch ShadowPad. In the beginning, the threat actors would send commands manually and then automatically.
Hackers are said to have used the CobaltStrike framework, the PlugX backdoor, and various BAT files during these cyberattacks. In the original advisory, you can find a complete list.
When it came to the attribution of these new attacks, Kaspersky stated that they had an almost entirely unique set of tactics, techniques, and procedures (TTP).
The attackers’ TTP enabled us to link these attacks to a Chinese-speaking threat actor, and we observed victims located in different regions. This means that the actor we have identified may have broader geographical interests and we could expect more victims to be discovered in different countries in the future.
While it is still unclear what the attacker’s ultimate goal is, the antivirus company has stated that they believe it may be data harvesting at the time of writing.
“We believe that it is highly likely that this threat actor will strike again and we will find new victims in different countries.”
Share this article
About the Author
Rebecca James is an IT consultant with forward thinking approach toward developing IT infrastructures of SMEs. She writes to engage with individuals and raise awareness of digital security, privacy, and better IT infrastructure.
More from Rebecca JamesRelated Posts
Passengers’ Data Stored on User Devices, not on DigiYatra Storage, says India Govt
KEY TAKEAWAYS Unblocking streaming content from Amazon Prime is easy only if you know the reliable V...
NCSC Chief: Clear Rules Needed to Prevent Cyberspace Conflict and Struggle
A safe and secure digital world necessitates a clear definition and enforcement of international cyb...
‘Revive’ has been upgraded to a banking Trojan on Android
This month, Cleafy’s security researchers discovered a new Android Banking Trojan in the wild....
Data Breaches Could Occur Due to Kubernetes Misconfigurations That Were Leaked.
Over 900,000 Kubernetes (K8s) have been discovered to be vulnerable to malicious scans and/or data-e...
Attacks by Cybercriminals Will Become the Main Threat in 2024. Privacy Issues Tendencies
Internet Privacy is the main Concern today Advertisers track your online activities and interf...
Scammers trapping users via fake VPN services after anti-privacy bill
Recently signed by trump, the new broadband laws will allow ISPs to sell your data without any legal...
