Back

SHADOW-EARTH-053 Exploits Microsoft Exchange Vulnerabilities in Asia

Severity: Critical (Score: 80.7)

Sources: Cybersecuritynews, Socprime

Summary

The China-aligned threat group SHADOW-EARTH-053 has been exploiting unpatched Microsoft Exchange and IIS server vulnerabilities, specifically the ProxyLogon vulnerability chain, to conduct cyberespionage. This group has targeted government ministries, defense contractors, and transportation entities across at least eight Asian countries and one NATO member state. Their attack methods include deploying web shells and the ShadowPad malware through DLL sideloading and registry-based payload execution. Tools such as Mimikatz and custom credential theft utilities have been utilized, with persistence mechanisms involving registry changes and scheduled tasks. The activity highlights the ongoing risk posed by older vulnerabilities when combined with sophisticated post-compromise techniques. Organizations are urged to apply security updates for Microsoft Exchange and IIS, focusing on the ProxyLogon-related CVEs. Detection measures should include monitoring for unauthorized file creation and suspicious scheduled tasks. Immediate action is recommended to block outbound communications to identified malicious IP addresses. Key Points: • SHADOW-EARTH-053 exploits ProxyLogon vulnerabilities in Microsoft Exchange and IIS servers. • Targets include government ministries and defense contractors across Asia and a NATO member state. • Organizations must apply security updates and monitor for suspicious activities immediately.

Key Entities

  • Shadow-earth (apt_group)
  • Shadow-Earth-053 (apt_group)
  • Data Breach (attack_type)
  • Malware (attack_type)
  • China (country)
  • Government (industry)
  • Transportation (industry)
  • ShadowPad (malware)
  • T1003 - OS Credential Dumping (mitre_attack)
  • T1053 - Scheduled Task/Job (mitre_attack)
  • T1059.001 - PowerShell (mitre_attack)
  • T1112 - Modify Registry (mitre_attack)
  • T1190 - Exploit Public-Facing Application (mitre_attack)
  • Microsoft Exchange Server (platform)
  • Evil-CreateDump (tool)
  • GOST (tool)
  • Mdync.exe (tool)
  • Mimikatz (tool)
  • Newdcsync (tool)
  • ProxyLogon (vulnerability)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed