The APT group Earth Baxia, believed to be based in China, has been conducting targeted attacks on government organizations, telecommunication businesses [2] [3], and the energy industry in multiple Asia-Pacific countries [2].

Description

They have been using spear-phishing emails and exploiting the critical security flaw in OSGeo GeoServer GeoTools, specifically the vulnerability CVE-2024-36401. The group has been observed using Cobalt Strike components and a custom backdoor called EAGLEDOOR, which supports data exfiltration through various communication channels such as DNS, HTTP [3] [4] [5], TCP [3] [4] [5], and Telegram [3] [4] [5]. The attackers deploy additional payloads using GrimResource and AppDomainManager injection. Their operations showcase advanced techniques like GeoServer exploitation [5], spear-phishing [1] [2] [3] [4] [5], and customized malware [5], demonstrating the complexity and adaptability of their tactics [4]. The group’s infrastructure is primarily hosted on public cloud services, emphasizing their focus on nations of Chinese national interest in the APAC region [3]. The attackers, linked to Earth Baxia group [1], are exploiting a critical GeoServer flaw to deploy EAGLEDOOR malware targeting APAC government and energy sectors [1]. The malware communicates with its C2 server via multiple protocols [1], making detection difficult [1] [2]. The attackers use spear-phishing and exploit vulnerabilities to bypass defenses and hide malicious activity using public cloud services [1].

Conclusion

These targeted attacks have significant implications for the security of government and energy sectors in the Asia-Pacific region. Mitigating these threats requires a comprehensive approach that includes patching vulnerabilities, enhancing email security measures, and monitoring for suspicious activity. The use of advanced techniques by the Earth Baxia group highlights the need for organizations to stay vigilant and continuously update their cybersecurity defenses to protect against evolving threats.

References

[1] https://www.vpnranks.com/news/chinese-hackers-exploit-geoserver-flaw-unleash-eagledoor-malware/
[2] https://blog.netmanageit.com/earth-baxia-uses-spear-phishing-and-geoserver-exploit-to-target-apac/
[3] https://www.darkreading.com/cyberattacks-data-breaches/china-earth-baxia-spies-geoserver-apac-orgs
[4] https://securityaffairs.com/168767/apt/earth-baxia-apt-targets-apac-geotools-flaw.html
[5] https://thehackernews.com/2024/09/chinese-hackers-exploit-geoserver-flaw.html