Kanpur, India – September 23, 2024 – A sophisticated cyber-espionage campaign orchestrated by a China-linked group, dubbed “Earth Baxia,” has been uncovered, targeting several Asia-Pacific (APAC) nations. The attackers exploited a vulnerability in the open-source GeoServer software, identified as CVE-2024-36401, to deploy the EAGLEDOOR malware, compromising critical infrastructure and government agencies across the region12.
The Attack Vector
Earth Baxia primarily utilized spear-phishing techniques to gain initial access. The group sent emails containing malicious links or attachments, often disguised as documents related to significant regional conferences or international meetings. Once the target interacted with these decoy documents, the attackers exploited the GeoServer vulnerability to execute remote code and install the EAGLEDOOR backdoor12.
Targets and Impact
The campaign has affected a wide range of sectors, including government agencies, telecommunications, and energy companies in countries such as Taiwan, Japan, the Philippines, South Korea, and Vietnam. Notably, the attackers also targeted the Philippine and Japanese military, as well as energy companies in Vietnam12.
Technical Details
The EAGLEDOOR malware is a custom backdoor that supports multiple communication protocols, allowing the attackers to gather information and deliver additional payloads. In some instances, the attackers also deployed customized versions of the Cobalt Strike client, which included modified internal signatures and configurations to evade detection2.
Attribution and Analysis
Trend Micro researchers have attributed these attacks to Earth Baxia, noting significant overlaps with other known Chinese APT groups, such as APT41. The majority of the group’s infrastructure is based in China, and their activities align with Chinese national interests12.
Conclusion
This latest campaign underscores the persistent threat posed by state-sponsored cyber-espionage groups. Organizations in the APAC region are urged to bolster their cybersecurity defenses, particularly by patching known vulnerabilities and educating employees about spear-phishing tactics.
For more detailed analysis and recommendations, visit the full report by Trend Micro2.
