A suspected advanced persistent threat (APT) originating from China targeted a government organization in Taiwan, and possibly other countries in the Asia-Pacific (APAC) region, by exploiting a recently patched critical security flaw impacting OSGeo GeoServer GeoTools. The intrusion activity, which was detected by Trend Micro in July 2024, has been attributed to a threat actor dubbed Earth Baxia. "Based on the collected phishing emails, decoy documents, and observations from incidents, it appears that the targets are primarily government agencies, telecommunication businesses, and the energy industry in the Philippines, South Korea, Vietnam, Taiwan, and Thailand," researchers Ted Lee, Cyris Tseng, Pierre Lee, Sunny Lu, and Philip Chen said. The discovery of lure documents in Simplified Chinese points to China being one of the affected countries as well, although the cybersecurity company said it does not have enough information to determine what sectors within the country have been singled out. The multi-stage infection chain process leverages two different techniques, using spear-phishing emails and the exploitation of the GeoServer flaw (CVE-2024-36401, CVSS score: 9.8), to ultimately deliver Cobalt Strike and a previously unknown backdoor codenamed EAGLEDOOR, which allows for information gathering and payload delivery. "The threat actor employs GrimResource and AppDomainManager injection to deploy additional payloads, aiming to lower the victim's guard," the researchers…Read More