A Chinese state-sponsored group, tracked as Threat Activity Group 22 (TAG-22), was observed to be targeting telecommunications, academia, research and development, and government organizations in Nepal, the Philippines, Taiwan, and more historically, Hong Kong.

In its recent activities, the threat group was monitored to be targeting vulnerable GlassFish servers and uses open-source tools to gain initial access and foothold to organizations before deploying customized malware for long-term access and future attacks.

______________________________

A. Nature of Attack

Description of the attack:

The threat group was identified to be exploiting vulnerable GlassFish Server, with software version 3.1.2 and below, and using the compromised systems to conduct lateral movement on the organization’s network. Scanning activities will then be conducted using web application scanning tool (Acunetix) and deployment of offensive security tool (Cobalt Strike) to gain initial foothold to targeted environments. These systems are likely to be used to deploy malicious software, such asĀ  ShadowPad, Spyder, and Winnti. Subsequently, dedicated attacker-controlled infrastructure will be used for the malware’s command-and-control. These domains were identified to be hosted via Namecheap and Choopa (Vultr) virtual private servers.

______________________________

B. Actions to be Taken

CERT-PH recommends the following actions be taken:

  • Check systems and devices for known vulnerabilities, and if applicable, apply the necessary patches and updates to mitigate from security threat.
    • If using GlassFish server running version 3.1.2 and below is deployed, it is highly advised to update to the latest stable version.
  • It is highly advised to check for any indicators of compromise, such as suspicious files and unusual external communication. (Please see details below for reference.)
  • Proactively monitor and secure identified systems and devices for any suspicious/malicious activities.
  • Secure and ensure backups of critical data are always available and can be deployed, if an incident will occur.

______________________________

C. List of Indicators of Compromise (IOC)

Item TypeIndicator TypeIndication value
MalwareSha256C2df9f77b7c823543a0528a28de3ca7acb2b1d587789abfe40f799282c279f7d
MalwareSha2562af96606c285542cb970d50d4740233d2cddf3e0fe165d1989afa29636ea11db
Command-and-ControlIP Addresss139.180.141[.]227
Command-and-ControlURLvt.livehost[.]live
HTTP Request/ POSTURI/windebug/updcheck.php
HTTP Request/ POSTURI/aircanada/dark.php
HTTP Request/ POSTURI/aero2/fly.php
HTTP Request/ POSTURI/windowsxp/updcheck.php
HTTP Request/ POSTURI/hello/flash.php
HTTP Request/ GETURI/updates