September 23, 2024 at 02:18AM
A suspected APT from China targeted a Taiwanese government organization and other APAC countries by exploiting a security flaw. The activity uses various techniques and malware like Cobalt Strike and EAGLEDOOR to infiltrate and gather data from government and energy sectors. The threat actor’s sophistication and adaptability are notable.
Key takeaways from the meeting notes are as follows:
– A suspected advanced persistent threat (APT) originating from China, dubbed Earth Baxia, targeted a government organization in Taiwan and other countries in the Asia-Pacific region using the recently patched critical security flaw impacting OSGeo GeoServer GeoTools.
– The intrusion activity was detected by Trend Micro in July 2024 and appears to primarily target government agencies, telecommunication businesses, and the energy industry in the Philippines, South Korea, Vietnam, Taiwan, and Thailand.
– The threat actor employs advanced techniques like GeoServer exploitation, spear-phishing, and customized malware (Cobalt Strike and EAGLEDOOR) to infiltrate and exfiltrate data, as well as the use of public cloud services for hosting malicious files.
– NTT Security Holdings recently detailed an activity cluster with links to APT41 that used similar techniques to target Taiwan, the Philippines military, and Vietnamese energy organizations, suggesting a potential relation between the two intrusion sets.
These takeaways provide a clear understanding of the cyber espionage and malware activities conducted by the Earth Baxia threat actor and the related implications for the affected countries and industries in the Asia-Pacific region.