Note for those who believe that a “forgotten” server is not needed by anyone.
Years after the disclosure of Microsoft Exchange vulnerabilities, the old servers still remain a comfortable door for cyberspionage. A new malicious campaign related to the interests of China has shown that even long-closed errors continue to help attackers to infiltrate the networks of government agencies, defense contractors and critical infrastructure.
TrendAI Research has described the activity of the group, which is temporarily monitored as SHADOW-EARTH-053. According to the team, the attacks began at least in December 2024 and affected organizations in South, East and South-East Asia, as well as one NATO country. Among the goals are Pakistan, Thailand, Malaysia, India, Myanmar, Sri Lanka, Taiwan and Poland.
The attackers used undisclosed vulnerabilities in Microsoft Exchange and Internet Information Services. Among the chains used is ProxyLogon, associated with CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065. After hacking the servers, the group was fixed through weblines, including GODZILLA, and then deployed the ShadowPad malware.
The attacks used downloading through the DLL substitution of legitimate signed files. In some cases, experts recorded the use of the renamed Toshiba Bluetooth Stack, which extracted the payload from the Windows registry. To save access, a task was created with the launch every five minutes and increased privileges.
After inauguration, SHADOW-EARTH-053 operators studied Active Directory and Exchange, looking for domain administrators, domain controllers and internal mail servers. Mimikatz, Evil-CreateDump and a tool similar to DCSyncDCSync-attacks were used to collect the data. In one case, the attackers created a password-protected RAR-archive with a postal PST file of the head of the attacked company.
For hidden connection and movement inside the networks, the group deployed IOX, GOST, Wstunnel and other tunnel tools. Some of the files were placed in C:/Users/Public and C:/ProgramData, and Windows system utilities were discoupled as random files with extension.log to circumvent process-focused protection.
TrendAI Research also found intersections with another temporary group, SHADOW-EARTH-054. Nearly half of the SHADOW-EARTH-053 targets had previously encountered SHADOW-EARTH-054 activity, with the groups using the same entry points and some of the same tools. The authors of the report consider it more likely not to be unified management, but the independent use of the same vulnerabilities in already vulnerable environments.
The nature of the targets indicates cyber espionage and theft of valuable information. A particular risk is maintained for organizations with exchange and IIS available from the Internet, where security updates have not been put for a long time. The campaign shows that forgotten servers can remain a working support for months to attack state and defense structures.
Years after the disclosure of Microsoft Exchange vulnerabilities, the old servers still remain a comfortable door for cyberspionage. A new malicious campaign related to the interests of China has shown that even long-closed errors continue to help attackers to infiltrate the networks of government agencies, defense contractors and critical infrastructure.
TrendAI Research has described the activity of the group, which is temporarily monitored as SHADOW-EARTH-053. According to the team, the attacks began at least in December 2024 and affected organizations in South, East and South-East Asia, as well as one NATO country. Among the goals are Pakistan, Thailand, Malaysia, India, Myanmar, Sri Lanka, Taiwan and Poland.
The attackers used undisclosed vulnerabilities in Microsoft Exchange and Internet Information Services. Among the chains used is ProxyLogon, associated with CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065. After hacking the servers, the group was fixed through weblines, including GODZILLA, and then deployed the ShadowPad malware.
The attacks used downloading through the DLL substitution of legitimate signed files. In some cases, experts recorded the use of the renamed Toshiba Bluetooth Stack, which extracted the payload from the Windows registry. To save access, a task was created with the launch every five minutes and increased privileges.
After inauguration, SHADOW-EARTH-053 operators studied Active Directory and Exchange, looking for domain administrators, domain controllers and internal mail servers. Mimikatz, Evil-CreateDump and a tool similar to DCSyncDCSync-attacks were used to collect the data. In one case, the attackers created a password-protected RAR-archive with a postal PST file of the head of the attacked company.
For hidden connection and movement inside the networks, the group deployed IOX, GOST, Wstunnel and other tunnel tools. Some of the files were placed in C:/Users/Public and C:/ProgramData, and Windows system utilities were discoupled as random files with extension.log to circumvent process-focused protection.
TrendAI Research also found intersections with another temporary group, SHADOW-EARTH-054. Nearly half of the SHADOW-EARTH-053 targets had previously encountered SHADOW-EARTH-054 activity, with the groups using the same entry points and some of the same tools. The authors of the report consider it more likely not to be unified management, but the independent use of the same vulnerabilities in already vulnerable environments.
The nature of the targets indicates cyber espionage and theft of valuable information. A particular risk is maintained for organizations with exchange and IIS available from the Internet, where security updates have not been put for a long time. The campaign shows that forgotten servers can remain a working support for months to attack state and defense structures.
