China’s ‘Earth Baxia’ Cyber Espionage Group Targets APAC via GeoServer Exploitation

September 23, 2024

A cyber-espionage group linked to China, dubbed 'Earth Baxia', has been attacking government agencies in Taiwan, the Philippine and Japanese military, and energy companies in Vietnam. The group uses spear-phishing and exploits a vulnerability (CVE-2024-36401) in GeoServer, an open-source software used for geospatial data distribution, to compromise its targets. Upon successful infiltration, the group installs either the Cobalt Strike client or a custom backdoor named 'EagleDoor' on the compromised systems.

The group's activities are mainly hosted on public cloud services, and it seems to operate independently from other known advanced persistent threat (APT) groups. However, there have been overlaps found with APT41, also known as Wicked Panda and Brass Typhoon. The majority of Earth Baxia's infrastructure is located in China, and it predominantly targets nations of Chinese national interest.

According to Ted Lee, a threat researcher with Trend Micro, "In recent campaigns, their primary targets are government agencies and other critical infrastructures — [such as] telecommunication — in the APAC region." The group also uses decoy documents related to significant conferences or international meetings to lure victims.

The group's activities align with China's apparent escalation of attacks on governments and companies in the Asia-Pacific region. For instance, Operation Crimson Palace, a consortium of three Chinese APT groups, has successfully compromised over a dozen targets in Southeast Asia, including government agencies. In another case, a Chinese espionage group attempted to compromise systems at the US-Taiwan Business Council using a malicious fake document.

Earth Baxia's attacks primarily use spear-phishing, sending either a file or a link and using regional conferences as a lure. The group targets government agencies, telecommunication businesses, and the energy industry in the Philippines, South Korea, Vietnam, Taiwan, and Thailand.

In some instances, the group exploits a known flaw in GeoServer to gain a foothold within an organization. The Cybersecurity and Infrastructure Security Agency (CISA) added this vulnerability to its Known Exploited Vulnerability (KEV) catalog on July 15.

After gaining access, the group uses one of two techniques, GrimResource and AppDomainManager injection, to further compromise targeted systems. These techniques allow the group to execute JavaScript on the victim's machine and gain arbitrary code execution.

The compromise leads to the installation of either a custom backdoor known as EagleDoor, or an implant by a pirated version of the red-team tool Cobalt Strike. The Cobalt Strike component drops two executables, Hook and Eagle, which make up the EagleDoor backdoor, allowing communication over DNS, HTTP, TCP, and Telegram to exfiltrate data from the victim's system and install additional payloads.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.