Unpatched Microsoft Exchange servers in various Asian countries were the target of an attack campaign discovered by Russian cybersecurity firm Kaspersky.
The threat actors exploited the above vulnerabilities to gain access to the industrial control systems (ICS) of telecommunications companies in Pakistan and Afghanistan, as well as a logistics and transportation company in Malaysia, according to a company advisory released on Monday.
In October 2021, Kaspersky discovered that hackers were exploiting the CVE-2021-26855 vulnerability in Microsoft Exchange to gain access to user data. In spite of this, signs of the attacks on the affected systems appear to date back to March of this year.
“During the investigation, researchers uncovered larger-scale activity by the threat actor in the network of the telecommunications company and also identified other victims of the campaign,”
At various points in this hacking campaign, a legitimate executable file called AppLaunch.exe was used to launch the ShadowPad backdoor on victims’ computers, according to reports.
A legitimate OLE-COM object viewing application, OleView, would then be hijacked by attackers to launch ShadowPad. In the beginning, the threat actors would send commands manually and then automatically.
Hackers are said to have used the CobaltStrike framework, the PlugX backdoor, and various BAT files during these cyberattacks. In the original advisory, you can find a complete list.
When it came to attribution of these new attacks, Kaspersky stated that they had an almost entirely unique set of tactics, techniques and procedures (TTP).
The attackers’ TTP enabled us to link these attacks to a Chinese-speaking threat actor, and we observed victims located in different regions. This means that the actor we have identified may have broader geographical interests and we could expect more victims to be discovered in different countries in the future.
While it is still unclear what the attacker’s ultimate goal is, the antivirus company has stated that they believe it may be data harvesting at the time of writing.
“We believe that it is highly likely that this threat actor will strike again and we will find new victims in different countries.”