In an alarming development in cybersecurity, researchers from Trend Micro have uncovered a sophisticated attack campaign orchestrated by a Chinese-linked Advanced Persistent Threat (APT) group known as “Earth Baxia.” This Chinese Hackers Exploit vulnerabilities in GeoServer—a popular open-source server used for sharing and processing geospatial data—to deploy a malware known as EAGLEDOOR. This blog delves into the details of the attack, the vulnerabilities exploited, and recommendations to protect against such threats.
Understanding GeoServer and Its Vulnerabilities
What is GeoServer?
GeoServer is an open-source server written in Java that enables users to share, process, and edit geospatial data. It supports various data formats and integrates seamlessly with mapping applications like Google Maps and OpenLayers. Its flexibility makes it an essential tool for organizations that rely on web mapping and spatial data infrastructure.
The Exploited Vulnerability: CVE-2024-36401
The primary vulnerability exploited by Earth Baxia is designated as CVE-2024-36401, a Remote Code Execution (RCE) flaw in GeoServer. This vulnerability allows attackers to execute arbitrary code on affected systems, providing them with a foothold to deploy further malicious payloads. Given GeoServer’s widespread use, this vulnerability poses a significant risk to organizations utilizing this software, particularly in sensitive sectors.
The Attack Vector of Chinese Hackers Exploit
Targeting APAC Countries
Earth Baxia has primarily targeted government agencies, telecommunications, and energy sectors across several Asia-Pacific (APAC) countries, including Taiwan, the Philippines, South Korea, Vietnam, and Thailand. Their tactics include sophisticated spear-phishing attacks designed to trick individuals into executing malicious files.
Spear-Phishing with MSC Files
The attack typically begins with spear-phishing emails containing malicious MSC (Microsoft Common Script) files, often labeled as “RIPCOY.” These files exploit the vulnerabilities in GeoServer, allowing the attackers to execute their code upon opening.
Infection Chain and Payload Deployment
Techniques Employed
The infection chain employed by Earth Baxia is complex, leveraging various techniques to ensure successful deployment of the EAGLEDOOR malware. Notable techniques include:
- AppDomainManager Injection: This method allows attackers to inject malicious code into legitimate applications, making detection difficult.
- GrimResource: A technique to facilitate the downloading of malicious payloads from cloud services, including AWS and Aliyun.
Customized Cobalt Strike Components
Once the initial access is achieved, Earth Baxia deploys customized Cobalt Strike components, including:
- SWORDLDR: A shellcode loader used to execute further payloads.
- EAGLEDOOR: The primary backdoor employed in the attack, allowing for extensive control over the compromised systems.
Features and Functionality of EAGLEDOOR
Multi-Protocol Support
EAGLEDOOR boasts multi-protocol communication capabilities, utilizing protocols such as DNS, HTTP, TCP, and even Telegram. This adaptability enables the attackers to maintain communication with compromised systems, even in the face of potential disruptions.
Loader Mechanism
The loader for EAGLEDOOR employs DLL side-loading techniques, specifically using files named Systemsetting.dll and Systemsetting.exe. This method aids in evading detection by masquerading as legitimate files.
Backdoor Operations
EAGLEDOOR features several critical operations, including:
- API Hooking: This is accomplished via a component named Hook.dll, enabling the malware to intercept and manipulate API calls made by other applications.
- Core Operations: Managed by Eagle.dll, this component handles the essential functions of the backdoor.
Command and Control via Telegram
One of the more unique aspects of EAGLEDOOR is its use of the Telegram Bot API for command and control (C2) communications. This includes methods such as:
- getFile
- getUpdates
- sendDocument
- sendMessage
By leveraging Telegram, attackers can maintain a robust communication channel while minimizing the risk of detection by traditional security measures.
Evading Detection and Maintaining Persistence
Obfuscation Techniques
To evade detection and maintain persistence on compromised systems, Earth Baxia employs various obfuscation techniques, including:
- Base64 Encoding: This technique disguises the payloads, making them harder to analyze and detect by security systems.
- AES Encryption: Used to secure communication and payloads, further complicating efforts to identify malicious activities.
Data Exfiltration Process
The exfiltration of stolen data is carefully executed. The collected information is archived, and tools like curl.exe are used to upload the data to remote file servers, such as the one identified with the IP address 152.42.243.170. This process underscores the need for robust monitoring of outgoing network traffic.
Initial Access and Tool Delivery
Diverse Initial Access Methods
Earth Baxia employs various methods for initial access, including the use of MSC and LNK (link) files to deliver their malicious toolsets. This diversity in attack vectors increases their chances of success, as different users may respond to different types of phishing attempts.
Decoy Documents and Malicious Components
Researchers identified specific websites, such as Static.krislab.site, that Earth Baxia utilized to spread decoy documents alongside Cobalt Strike components. These sites host files like Edge.exe, msedge.dll, and Logs.txt, all of which are deployed using PowerShell commands to execute the payloads.
Recommendations for Mitigation
In light of the tactics employed by Earth Baxia, organizations must take proactive measures to safeguard their systems. Here are some key recommendations:
1. Continuous Phishing Awareness Training
Regular training sessions can significantly enhance employees’ ability to recognize phishing attempts and malicious files. By fostering a culture of security awareness, organizations can reduce the likelihood of successful attacks.
2. Multi-Layered Protection Solutions
Implementing a multi-layered security approach is crucial. This includes:
- Firewalls
- Intrusion Detection Systems (IDS)
- Endpoint Protection Platforms (EPP)
These layers can help detect and mitigate threats before they can exploit vulnerabilities.
3. Vigilant Cybersecurity Practices
Organizations should maintain vigilant cybersecurity practices, including:
- Regularly updating and patching software, especially critical systems like GeoServer.
- Conducting routine security audits and vulnerability assessments.
- Monitoring network traffic for unusual activities.
Conclusion
The exploitation of GeoServer vulnerabilities by Earth Baxia underscores the evolving landscape of cyber threats. By understanding the tactics employed by threat actors and implementing robust security measures, organizations can better protect themselves against the risks posed by sophisticated malware like EAGLEDOOR. As the threat landscape continues to evolve, vigilance and proactive measures are key to maintaining cybersecurity resilience.
Frequently Asked Questions about Chinese Hackers Exploit
What is EAGLEDOOR malware?
EAGLEDOOR is a backdoor malware deployed by the Earth Baxia APT group, allowing attackers to maintain control over compromised systems and exfiltrate data.
How does Earth Baxia exploit GeoServer?
Earth Baxia exploits the CVE-2024-36401 vulnerability in GeoServer, allowing for remote code execution, which facilitates the deployment of their malware.
What sectors are most at risk?
Government agencies, telecommunications, and energy sectors in APAC countries have been the primary targets of Earth Baxia’s attacks.
How can organizations protect themselves?
Organizations can protect themselves by implementing continuous phishing awareness training, deploying multi-layered security solutions, and maintaining vigilant cybersecurity practices.
What are the signs of a potential compromise?
Signs of compromise may include unusual network traffic, unauthorized access attempts, and unexpected behavior of software applications.
References
Senapathi, V. (2024, September 24). Chinese Hackers Exploiting GeoServer Flaw To Deploy EAGLEDOOR Malware. Retrieved from Cyber Security News: https://cybersecuritynews.com/chinese-hackers-exploit-geoserver-eagledoor/