September 22, 2024 at 09:10PM
A China-linked cyber-espionage group dubbed Earth Baxia has targeted Taiwanese government agencies, the Philippine and Japanese military, and energy companies in Vietnam. The group primarily uses spear-phishing and a custom backdoor called EagleDoor, as well as exploiting a vulnerability in the open source GeoServer software. The majority of the group’s infrastructure is based in China.
Based on the meeting notes, it appears that a China-linked cyber-espionage group, identified as Earth Baxia by Trend Micro, has conducted a series of attacks on government agencies, military organizations, and energy companies in the Asia-Pacific region. The group primarily uses spear-phishing and has exploited a vulnerability in the open source GeoServer software. The attacks have been specifically targeting nations of Chinese national interest, and the group’s infrastructure is based in China. The attacks have been primarily directed at government agencies, telecommunication businesses, and the energy industry in countries such as the Philippines, South Korea, Vietnam, Taiwan, and Thailand.
The group is also known to use a variety of techniques, including GrimResource and AppDomainManager injection, to further compromise targeted systems. Ultimately, the attacks lead to the installation of a custom backdoor known as EagleDoor or the implantation of the red-team tool Cobalt Strike for command-and-control capabilities. It’s worth noting that the use of Cobalt Strike provides little attribution information, as it is a commonly used tool among cybercriminal and cyber-espionage groups.
Overall, it is clear that this cyber-espionage group poses a significant threat to organizations and governments in the Asia-Pacific region, and its use of sophisticated techniques underscores the importance of robust cybersecurity measures.