A cyber threat group known as SHADOW-EARTH-053, believed to be aligned with China, has been exploiting vulnerabilities in Microsoft Exchange Servers. This group has primarily targeted government and defense-related entities across Asia, leading to significant concerns about cyberespionage activities.
Global Impact and Targeted Regions
Since at least December 2024, SHADOW-EARTH-053 has directed its efforts towards multiple countries. Their targets include government ministries, defense contractors, IT firms, and transportation organizations in South, East, and Southeast Asia. Notably, the group extended its reach to Europe, targeting Poland, thus indicating a broader strategy beyond Asia.
Trend Micro analysts, Daniel Lunghi and Lucas Silva, have been monitoring these campaigns. They identified the connections between SHADOW-EARTH-053’s activities and China’s strategic interests, marking a significant overlap with another group, SHADOW-EARTH-054. Both groups share similar techniques and tools, indicating a coordinated approach.
Exploitation of Known Vulnerabilities
The group’s primary method involves exploiting unpatched vulnerabilities in Microsoft’s Exchange and Internet Information Services (IIS) servers. Notably, they utilized the ProxyLogon vulnerabilities, identified as CVE-2021-26855 and others. Despite being older vulnerabilities, they remain potent due to unpatched systems, risking data breaches and prolonged unauthorized access.
SHADOW-EARTH-053’s attacks have had a profound impact, compromising numerous organizations. Their tactics include installing Exchange server snap-ins to access and export sensitive email data using custom tools. Such methods echo previous cyber operations attributed to Hafnium, a known threat actor.
ShadowPad Malware and Attack Strategies
The group primarily employs ShadowPad malware, a sophisticated implant first used by APT41. The variant used by SHADOW-EARTH-053 lacks some advanced features, suggesting limited access to the latest builder versions. Their deployment strategy involves a three-file loading mechanism leveraging DLL sideloading, with executables signed by reputable vendors to evade detection.
A notable tactic includes using a legitimate Toshiba Bluetooth executable to sideload malicious components. This approach underscores the need for vigilant monitoring of registry activities and executable behavior.
Preventive Measures for Organizations
Organizations with exposed Microsoft Exchange or IIS servers should prioritize applying security patches and updates. When immediate patching isn’t feasible, deploying Intrusion Prevention Systems or Web Application Firewalls can help mitigate exploit attempts.
Implementing strict File Integrity Monitoring on critical directories and limiting IIS process privileges are crucial steps. Organizations should also maintain application whitelisting and monitor for unauthorized binary executions. Alerts for suspicious IIS process activities can act as early warnings of potential breaches.
By taking these proactive measures, organizations can better safeguard against the persistent threat posed by groups like SHADOW-EARTH-053.
