A cyberespionage campaign targeting critical infrastructure across Asia is leveraging compromised web servers to infiltrate targeted organizations’ networks. The attackers are employing the Mimikatz tool to harvest credentials and move laterally through compromised systems.
Critical Infrastructure Targeted Across Asia
Organizations in South, Southeast, and East Asia have been targeted by a cyberespionage campaign exploiting vulnerabilities in internet-exposed web servers. The attacks are focused on sectors considered strategically important, including aviation, energy, telecommunications, technology, public administration, and the pharmaceutical industry.
Researchers at Palo Alto Networks Unit 42 attribute the activity to a relatively undocumented threat group identified as CL-UNK-1068. Analysts believe the primary motivation behind this campaign is long-term espionage, rather than sabotage or financial extortion. The campaign has reportedly been active for several years, focusing on organizations with high strategic value.
Web Server Exploitation for Network Access
The attacks begin with the exploitation of vulnerable web servers accessible on the internet. Once initial access is gained, attackers deploy web shells – malicious scripts that allow for remote control of the server. Researchers have observed attempts to exfiltrate files related to web applications, such as configuration files and libraries used by hosted applications. This stolen information can then be used to discover further vulnerabilities, harvest credentials, or prepare for movement to other systems on the network.
Mimikatz Used for Credential Harvesting
To expand their access, the attackers are also utilizing Mimikatz, a well-known tool within the cybersecurity ecosystem. Originally developed for security testing of Windows environments, Mimikatz is now widely used by attackers to extract passwords and authentication data stored in the memory of Windows systems. This allows them to move laterally within compromised networks. In this campaign, researchers also noted the use of other tools designed to extract sensitive information from system memory and retrieve connection data related to Microsoft SQL Server.
The continued effectiveness of tools like Mimikatz underscores the ongoing challenges organizations face in securing Windows-based systems and protecting sensitive credentials.
