APT group uses ShadowPad backdoor and MS Exchange vulnerability

APT group uses ShadowPad backdoor and MS Exchange vulnerability

In mid-October 2021, Kaspersky ICS CERT discovered a previously unknown Chinese-speaking threat actor targeting telecommunications, manufacturing, and transportation organizations in several Asian countries. During the initial attacks, the group took advantage of the MS Exchange vulnerability to deploy ShadowPad malware and infiltrated the building automation systems of one of the victims.

A building automation system (BAS) connects all the functions within the building, from electricity and heating to fire and security, and is managed from a control center. Once a BAS is compromised, all processes within that organization are at risk, including those related to information security.

Kaspersky ICS CERT experts witnessed attacks against organizations in Pakistan, Afghanistan and Malaysia in the telecommunications and industrial sector. The attacks had a unique set of tactics, techniques, and procedures (TTPs), leading experts to believe that the same Chinese-speaking threat actor was behind all of these observed attacks. Their attention was particularly focused on the use by the actor of engineering computers in building automation systems, belonging to the infrastructures of companies, as a point of infiltration, something unusual for APT groups. By taking control of those systems, the attacker can reach even more sensitive systems of the targeted organization.

As the research showed, the main tool of the APT group is shadow pad back door. Kaspersky has witnessed the use of this malware by various Chinese-speaking APT actors. During the observed actor attacks, the ShadowPad backdoor was downloaded onto the targeted computers under the guise of legitimate software. In many cases, the attacking group exploited a known vulnerability in MS Exchange and entered the commands manually, indicating the highly targeted nature of their campaigns.

“Building automation systems are rare targets for advanced threat actors. However, those systems can be a valuable source of highly sensitive information and can provide attackers with a backdoor to other, more secure areas of infrastructure. Since these attacks develop extremely quickly, they must be detected and mitigated during their early stages. For this reason, our advice is to constantly monitor the aforementioned systems, especially in critical sectors.” says Kirill Kruglov, security expert at Kaspersky ICS CERT.

Learn more about attacks via building automation systems on the Kaspersky ICS CERT website.

To keep your OT computers protected from various threats, Kaspersky experts recommend:

  • Periodically update operating systems and any application software that is part of the company network. Apply fixes and security patches to OT network equipment as soon as they are available.
  • Carrying out periodic security audits of OT systems to identify and eliminate possible vulnerabilities.
  • Use of OT network traffic monitoring, analysis and detection solutions for better protection against attacks that potentially threaten OT systems and major company assets.
  • Provide dedicated OT security training for IT security teams and OT engineers. This is crucial to improve the response to new and advanced malicious techniques.
  • Provide the security team responsible for protecting industrial control systems with up-to-date threat intelligence. The ICS Threat Intelligence Reporting service provides information on current threats and attack vectors, as well as the most vulnerable elements in OT and how to mitigate them.
  • Use of OT network and endpoint security solutions such as Kaspersky Industrial CyberSecurity to ensure comprehensive protection for all critical systems.
  • Protect IT infrastructure. Integrated Endpoint Security protects corporate endpoints and enables automatic threat detection and response capabilities.


About Kaspersky ICS CERT

Kaspersky Industrial Control Systems Cyber ​​Emergency Response Team (Kaspersky ICS CERT) is a global project launched by Kaspersky in 2016 to coordinate the efforts of automation system providers, industrial facility owners and operators, and IT security researchers. to protect industrial companies from cyber attacks. Kaspersky ICS CERT devotes its efforts primarily to identifying potential and existing threats that target industrial automation systems and the Industrial Internet of Things. Kaspersky ICS CERT is an active member and partner of leading international organizations that develop recommendations on how to protect industrial companies from cyber threats. ics-cert.kaspersky.com

About Kaspersky

Kaspersky is a global cybersecurity company founded in 1997. Kaspersky’s deep threat intelligence and security expertise are constantly transformed into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the world. the world. The company’s comprehensive security portfolio includes leading endpoint protection and a suite of specialized security solutions and services to combat sophisticated and ever-evolving digital threats. More than 400 million users are protected by Kaspersky technologies, and we help 250,000 corporate customers protect what matters most to them. Learn more at www.kaspersky.com

Leave a Comment