Recent reports have surfaced detailing a targeted cyberattack campaign aimed at unpatched Microsoft Exchange Servers, utilizing these vulnerabilities as a foothold to deploy the sophisticated ShadowPad malware. Key targets include entities in Afghanistan, Malaysia, and Pakistan, particularly focusing on organizations within the telecommunications, manufacturing, and transportation sectors.
The activity was first identified by Kaspersky, a prominent Russian cybersecurity firm, in mid-October 2021, which attributed the attacks to an unidentified, Chinese-speaking adversary. The initial phase of the campaign saw attackers leveraging vulnerabilities in Microsoft Exchange to infiltrate building automation systems of one victim, providing a gateway to more secure systems and sensitive data within the organization.
ShadowPad, which first emerged as an advanced modular malware platform in 2015 and is considered a successor to PlugX, is sold exclusively on the cybercriminal market and has been adopted by various Chinese espionage groups over the years. Its design allows for remote execution of additional plugins, enhancing its capabilities beyond just covert data collection. The malware’s inherent anti-forensic and anti-analysis features significantly complicate detection and mitigation efforts.
Kaspersky highlighted that during the attacks, the ShadowPad backdoor was disguised as legitimate software, often downloaded alongside Microsoft .NET Framework components, further emphasizing the targeted approach taken by the attackers. Evidence suggests that these operations began as early as March 2021, coinciding with the public disclosure of the ProxyLogon vulnerabilities affecting Exchange Servers. Additionally, some breaches likely exploited the CVE-2021-26855 server-side request forgery vulnerability.
Throughout the campaign, the attackers employed multiple tactics, including deploying ShadowPad as “mscoree.dll” and utilizing additional tools such as Cobalt Strike, a variant known as THOR, along with web shells to maintain remote access. While the ultimate objectives of this campaign remain obscure, it is widely speculated that the attackers seek to acquire long-term intelligence and gain access to high-value information.
Kaspersky’s ICS CERT researcher, Kirill Kruglov, noted that while building automation systems are not typical targets for advanced cyber actors, they can serve as vital sources of sensitive information and potentially offer pathways into more secure areas of the targeted infrastructures. This underlines the risk posed by such cyber operations, especially against entities managing critical infrastructure.
The MITRE ATT&CK framework provides insight into the techniques potentially utilized during these attacks, highlighting initial access tactics through exploitation of known vulnerabilities, persistence through carefully planted malware, and privilege escalation to access more secured systems. As the cybersecurity landscape evolves, businesses should remain vigilant and proactive in safeguarding their networks against similar threats.
