A Chinese-speaking advanced persistent threat (APT) is exploiting the ProxyLogon Microsoft Exchange vulnerability to deploy the ShadowPad malware, researchers said — with the end goal of taking over building-automation systems (BAS) and moving deeper into networks.
That's according to researchers at Kaspersky ICS CERT, who said that the infections affected industrial control systems (ICS) and telecom firms in Afghanistan and Pakistan, as well as a logistics and transport organization in Malaysia. The attacks came to light in October but appear to date back to March 2021.
"We believe that it is highly likely that this threat actor will strike again and we will find new victims in different countries," according to Kaspersky's Monday analysis.
In this specific spate of attacks, Kaspersky observed a unique set of tactics, techniques, and procedures (TTPs) linking the incidents together, including attackers compromising BAS engineering computers as their initial access point.
"BAS networks usually consist of BAS equipment and computers of BAS engineers (which usually have extensive access not only to BAS, but also to the corporate network and sometimes to OT/ICS [operational technology/industrial control systems] as well), Kirill Kruglov, security expert at Kaspersky ICS CERT, tells Dark Reading. "And at the same time, our experience shows that computers of BAS engineering are (usually) more vulnerable/less protected."
He adds, "In this campaign we've seen a BAS network (of a telecom) being compromised by threat actors who (as we believe) were originally targeting that telecom network. Having compromised the BAS network, threat actors probably got a lot of access to systems in BAS corporate networks in no time."
Researchers noted this is an unusual move for an APT group, despite proof-of-concept malware being available for such platforms.
"Building-automation systems are rare targets for advanced threat actors," says Kruglov. "However, those systems can be a valuable source of highly confidential information and may provide the attackers with a backdoor to other, more secured, areas of infrastructures."
He adds, "This could be a situation where something accidently happened and someone (threat actor) can eventually realize how efficient such a tactic could be, so that could become a trend in a near future."
The attacks also threaten the physical integrity of buildings, researchers warned. BAS infrastructure unites operational features, such as electricity, lighting, HVAC systems, fire alarms, and security cameras, so they can be managed from a single management console.
"Once a BAS is compromised, all processes within that are at risk, including those relating to information security," according to Kaspersky's alert about the attacks.
In a real-world example of this rare kind of attack, last December a building automation engineering firm suddenly lost contact with hundreds of its BAS devices, including light switches, motion detectors, shutter controllers, and others — after being locked down with the system's own digital security key, which the attackers hijacked. The firm had to revert to manually flipping on and off the central circuit breakers in order to power on the lights in the building.
ProxyLogon Leads to ShadowPad Malware in Stealthy Infections
In many cases, the cyberattackers exploited the ProxyLogon remote code-execution (RCE) vulnerability in MS Exchange (CVE-2021-26855), the firm added. When used in an attack chain, the exploits for these ProxyLogon could allow an attacker to authenticate as the Exchange server and deploy a Web shell so they can remotely control the target server.
ProxyLogon was disclosed in March 2021 after being exploited as a zero-day bug by a Chinese state-sponsored group that Microsoft calls Hafnium — but soon a dizzying array of threat groups piled on to exploit the issue to enable different kinds of attacks.
In this case, once in, the APT deploys the ShadowPad remote access Trojan (RAT) — a popular backdoor and loader used by various Chinese APTs. According to previous analysis from Secureworks, ShadowPad is advanced and modular, first deployed by the "Bronze Atlas" threat group in 2017. "A growing list of other Chinese threat groups have deployed it globally since 2019 in attacks against organizations in various industry verticals," the report noted.
Kaspersky researchers said that in the BAS attacks, "The ShadowPad backdoor was downloaded onto the attacked computers under the guise of legitimate software."
Specifically, the malware originally masqueraded as the mscoree.dll file, which is a Microsoft library file essential for the execution of "managed code" applications written for use with the .NET Framework. As such, the malware was launched by the legitimate AppLaunch.exe application, which itself was executed by creating a task in the Windows Task Scheduler. Last fall, the attackers switched to using the DLL-hijacking technique in legitimate software for viewing OLE-COM objects (OleView). The Windows Task Scheduler is also used in the newer approach. In both cases, using such living-off-the-land tools (i.e., legitimate native software) means that the activity is unlikely to raise any system-intrusion flags.
After the initial infection, the attackers first sent commands manually, then automatically, to deploy additional tools. Researchers said those included the following:
- The CobaltStrike framework (for lateral movement)
- Mimikatz (for stealing credentials)
- The well-known PlugX RAT
- BAT files (for stealing credentials)
- Web shells (for remote access to the Web server)
- The Nextnet utility (for scanning network hosts)
"The artifacts found indicate that the attackers stole domain-authentication credentials from at least one account in each attacked organization (probably from the same computer that was used to penetrate the network)," according to Kaspersky. "These credentials were used to further spread the attack over the network … we do not know the ultimate goal of the attacker. We think it was probably data harvesting."
How to Protect Against APT Attacks Targeting BAS, Critical Infrastructure
The attacks develop "extremely rapidly," Kaspersky said, so early-state detection and mitigation is key to minimizing damage.
"BAS security in general is usually less protected than IT or OT networks, because it has extensive access and less security controls/requirements in place," Kruglov says. "The main takeaway is supply-chain security. For ICS (as well as for IT) it is very important to implement layered security measures which should address supply chain attacks from BAS or telecom networks."
The researchers recommended the following best practices to protect industrial infrastructure, including BAS footprints:
- Regularly update operating systems and any application software that are part of the enterprise's network. Apply security fixes and patches to operational-technology (OT) network equipment such as BAS, as soon as they are available.
- Conduct regular security audits of OT systems to identify and eliminate possible vulnerabilities.
- Use OT network traffic monitoring, analysis, and detection solutions for better protection from attacks that potentially threaten OT systems and main enterprise assets.
- Provide dedicated OT security training for IT security teams and OT engineers.
- Provide the security team responsible for protecting ICS with up-to-date threat intelligence.
- Use layered security solutions for OT endpoints and networks.