A Chinese-speaking threat actor has hacked into the building automation systems (used to control HVAC, fire, and security functions) of several Asian organizations to backdoor their networks and gain access to more secured areas in their networks.
The threat actors had a considerable number of potential victims to target, seeing that the Dutch Institute for Vulnerability Disclosure (DIVD) found 46,000 servers unpatched against the ProxyLogon flaws one week after Microsoft patched them.
After breaching engineering computers within their targets’ building automation systems, the Chinese attackers could compromise other parts of the victims’ infrastructure, including but not limited to their information security systems.
The group’s end goal is unknown, but Kaspersky ICS CERT researchers believe the attackers were most likely hunting for sensitive information, stating “We strongly believe that those systems themselves could be a valuable source of highly confidential information. Additionally, we believe there is a chance that they also provide attackers with a backdoor to other, more strictly secured, infrastructure. We believe that it is highly likely that this threat actor will strike again, and we will find new victims in different countries.”
A patch for the ProxyLogon vulnerability (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) is available from Microsoft, and is highly recommended.
In cases where patching is not viable, restricting access to port 443 from the outside of an organization can mitigate the potential abuse of this vulnerability.