Lucene search

K
thnThe Hacker NewsTHN:97FD375C23B4E7C3F13B9F3907873671
HistoryJun 28, 2022 - 11:30 a.m.

APT Hackers Targeting Industrial Control Systems with ShadowPad Backdoor

2022-06-2811:30:00
The Hacker News
thehackernews.com
153

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

Industrial Control Systems

Entities located in Afghanistan, Malaysia, and Pakistan are in the crosshairs of an attack campaign that targets unpatched Microsoft Exchange Servers as an initial access vector to deploy the ShadowPad malware.

Russian cybersecurity firm Kaspersky, which first detected the activity in mid-October 2021, attributed it to a previously unknown Chinese-speaking threat actor. Targets include organizations in the telecommunications, manufacturing, and transport sectors.

“During the initial attacks, the group exploited an MS Exchange vulnerability to deploy ShadowPad malware and infiltrated building automation systems of one of the victims,” the company said. “By taking control over those systems, the attacker can reach other, even more sensitive systems of the attacked organization.”

ShadowPad, which emerged in 2015 as the successor to PlugX, is a privately sold modular malware platform that has been put to use by many Chinese espionage actors over the years.

While its design allows users to remotely deploy additional plugins that can extend its functionality beyond covert data collection, what makes ShadowPad dangerous is the anti-forensic and anti-analysis techniques incorporated into the malware.

“During the attacks of the observed actor, the ShadowPad backdoor was downloaded onto the attacked computers under the guise of legitimate software,” Kaspersky said. “In many cases, the attacking group exploited a known vulnerability in MS Exchange, and entered the commands manually, indicating the highly targeted nature of their campaigns.”

Evidence suggests that intrusions mounted by the adversary began in March 2021, right around the time the ProxyLogon vulnerabilities in Exchange Servers became public knowledge. Some of the targets are said to have been breached by exploiting CVE-2021-26855, a server-side request forgery (SSRF) vulnerability in the mail server.

Besides deploying ShadowPad as “mscoree.dll,” an authentic Microsoft .NET Framework component, the attacks also involved the use of Cobalt Strike, a PlugX variant called THOR, and web shells for remote access.

Although the final goals of the campaign remain unknown, the attackers are believed to be interested in long-term intelligence gathering.

“Building automation systems are rare targets for advanced threat actors,” Kaspersky ICS CERT researcher Kirill Kruglov said. “However, those systems can be a valuable source of highly confidential information and may provide the attackers with a backdoor to other, more secured, areas of infrastructures.”

Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P