• Fri. Feb 3rd, 2023

How APT Group Uses ShadowPad Backdoor and MS Exchange Vulnerability to attack Companies


Jun 28, 2022
Read Time:2 Minute, 52 Second

In mid-October 2021, Kaspersky ICS CERT discovered a previously unknown Chinese-speaking threat actor attacking telecommunications, manufacturing, and transport organisations in several Asian countries.

During the initial attacks, the group exploited MS Exchange vulnerability to deploy ShadowPad malware and infiltrated building automation systems of one of the victims.

A building automation system (BAS) connects all the functions inside the building – from electricity and heating to fire and security – and is managed from one control center.

Once a BAS is compromised, all processes within that organisation are at risk, including those relating to information security.

The experts at Kaspersky ICS CERT witnessed attacks on organisations in Pakistan, Afghanistan, and Malaysia in industrial and telecommunications sector.

The attacks had a unique set of tactics, techniques, and procedures (TTPs), which led the experts to believe that the same Chinese-speaking threat actor was behind all of these observed attacks.

Their attention was particularly drawn to the actor’s use of engineering computers in building automation systems, belonging to the companies’ infrastructures, as the point of infiltration – that is unusual for APT groups.

By taking control over those systems, the attacker can reach other, even more sensitive systems of the attacked organisation.

As the investigation showed, the main tool of the APT group is ShadowPad backdoor. Kaspersky has been witnessing this malware being used by various Chinese-speaking APT actors.

During the attacks of the observed actor, the ShadowPad backdoor was downloaded onto the attacked computers under the guise of legitimate software.

In many cases the attacking group exploited a known vulnerability in MS Exchange, and entered the commands manually, that indicates the highly targeted nature of their campaigns.

“The building automation systems are rare targets for advanced threat actors. However, those systems can be a valuable source of highly confidential information and may provide the attackers with a backdoor to other, more secured, areas of infrastructures. Since these attacks develop extremely rapidly, they must be detected and mitigated during their very early stages. Thus, our advice is to constantly monitor the mentioned systems, especially in critical sectors,” comments Kirill Kruglov, security expert at Kaspersky ICS CERT.  

Learn more about the attacks through building automation systems on Kaspersky’s ICS CERT website.

To keep your OT computers protected from various threats, Kaspersky experts recommend:

· Regularly updating operating systems and any application software that are part of the enterprise’s network. Apply security fixes and patches to OT network equipment as soon as they are available.

· Conducting regular security audits of OT systems to identify and eliminate possible vulnerabilities.

· Using OT network traffic monitoring, analysis and detection solutions for better protection from attacks that potentially threaten OT systems and main enterprise assets.

· Providing dedicated OT security training for IT security teams and OT engineers. This is crucial to improve response to new and advanced malicious techniques.

· Providing the security team responsible for protecting industrial control systems with up-to-date threat intelligence. ICS Threat Intelligence Reporting service provides insights into current threats and attack vectors, as well as the most vulnerable elements in OT and how to mitigate them.

· Using security solutions for OT endpoints and networks such as Kaspersky Industrial CyberSecurity to ensure comprehensive protection for all critical systems.

· Protect the IT infrastructure. Integrated Endpoint Security protects corporate endpoints and enables automated threat detection and response capabilities.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.