September 19, 2024 at 04:38AM
Threat actor Earth Baxia targeted a government organization in Taiwan and possibly other APAC countries using spear-phishing emails and exploiting CVE-2024-36401, a GeoServer vulnerability. Earth Baxia deployed customized Cobalt Strike components and a new backdoor called EAGLEDOOR, which supports multiple communication protocols for information gathering and payload delivery, with evidence suggesting origin from China.
Based on the meeting notes, the key takeaways are as follows:
1. Threat Actor and Techniques: The threat actor Earth Baxia has been targeting government organizations in Taiwan and other APAC countries using sophisticated techniques such as spear-phishing and the exploitation of GeoServer vulnerability CVE-2024-36401.
2. Attack Flow: The meeting notes provide a detailed analysis of the threat group’s attack flow, including the techniques, tactics, and procedures (TTPs) involved.
3. Attribution and Victimology: The attribution of the threat actor behind the campaigns to China has been identified, and the impacted regions and targeted sectors, mainly government agencies, telecommunication businesses, and the energy industry in the Philippines, South Korea, Vietnam, Taiwan, and Thailand, have been outlined.
4. Identified Threat Components: Customized Cobalt Strike components and a new backdoor named EAGLEDOOR were deployed as part of the attack, indicating the complexity and adaptability of Earth Baxia’s operations.
5. Best Practices and Mitigation: The meeting notes also emphasize the importance of continuous phishing awareness training, implementing multi-layered protection solutions, and utilizing advanced threat detection measures to mitigate the risks posed by such threats.
Overall, the meeting notes provide a comprehensive overview of the targeted attacks by Earth Baxia and offer valuable insights into the group’s sophisticated tactics and the best practices to counter such threats.