A Chinese state-sponsored group, tracked as Threat Activity Group 22 (TAG-22), was observed to be targeting telecommunications, academia, research and development, and government organizations in Nepal, the Philippines, Taiwan, and more historically, Hong Kong.
In its recent activities, the threat group was monitored to be targeting vulnerable GlassFish servers and uses open-source tools to gain initial access and foothold to organizations before deploying customized malware for long-term access and future attacks.
______________________________
A. Nature of Attack
Description of the attack:
The threat group was identified to be exploiting vulnerable GlassFish Server, with software version 3.1.2 and below, and using the compromised systems to conduct lateral movement on the organization’s network. Scanning activities will then be conducted using web application scanning tool (Acunetix) and deployment of offensive security tool (Cobalt Strike) to gain initial foothold to targeted environments. These systems are likely to be used to deploy malicious software, such as ShadowPad, Spyder, and Winnti. Subsequently, dedicated attacker-controlled infrastructure will be used for the malware’s command-and-control. These domains were identified to be hosted via Namecheap and Choopa (Vultr) virtual private servers.
______________________________
B. Actions to be Taken
CERT-PH recommends the following actions be taken:
- Check systems and devices for known vulnerabilities, and if applicable, apply the necessary patches and updates to mitigate from security threat.
- If using GlassFish server running version 3.1.2 and below is deployed, it is highly advised to update to the latest stable version.
- It is highly advised to check for any indicators of compromise, such as suspicious files and unusual external communication. (Please see details below for reference.)
- Proactively monitor and secure identified systems and devices for any suspicious/malicious activities.
- Secure and ensure backups of critical data are always available and can be deployed, if an incident will occur.
______________________________
C. List of Indicators of Compromise (IOC)
| Item Type | Indicator Type | Indication value |
| Malware | Sha256 | C2df9f77b7c823543a0528a28de3ca7acb2b1d587789abfe40f799282c279f7d |
| Malware | Sha256 | 2af96606c285542cb970d50d4740233d2cddf3e0fe165d1989afa29636ea11db |
| Command-and-Control | IP Addresss | 139.180.141[.]227 |
| Command-and-Control | URL | vt.livehost[.]live |
| HTTP Request/ POST | URI | /windebug/updcheck.php |
| HTTP Request/ POST | URI | /aircanada/dark.php |
| HTTP Request/ POST | URI | /aero2/fly.php |
| HTTP Request/ POST | URI | /windowsxp/updcheck.php |
| HTTP Request/ POST | URI | /hello/flash.php |
| HTTP Request/ GET | URI | /updates |