By Chinese APT Earth Baxia target APAC by exploiting GeoServer flaw
Trend Micro researchers have identified a campaign conducted by the China-linked APT group Earth Baxia, which has targeted government organizations in Taiwan and other Asia-Pacific (APAC) countries.
The threat actors have exploited a recently patched vulnerability in OSGeo GeoServer (CVE-2024-36401), allowing for remote code execution (RCE) via unsafe evaluation of XPath expressions.
The vulnerability, rated with a CVSS score of 9.8, impacted GeoServer versions prior to 2.23.6, 2.24.4, and 2.25.2.
Hacktivist Collective Twelve Disrupts Russian Networks Using Public Tools
A hacktivist group known as Twelve has been conducting cyber attacks against Russian targets, with the use of publicly available tools.
Kaspersky notes that Twelve shares infrastructural and tactical similarities with a ransomware group known as DARKSTAR (also referred to as COMET or Shadow), suggesting they may be related or part of the same collective. While Twelve operates with hacktivist motives, DARKSTAR follows the traditional double extortion ransomware model, highlighting the complexity within modern cyber threat groups.
Believed to have formed in April 2023 amid the ongoing Russo-Ukrainian war, Twelve has a history of operations aimed at crippling networks and disrupting business activities. The group also engages in hack-and-leak activities, exfiltrating sensitive information and sharing it on their Telegram channel.
Mandiant Reports UNC1860 Aiding Iranian APTs in Middle Eastern Intrusions
Mandiant researchers have identified an Iran-linked Advanced Persistent Threat (APT) group, designated as UNC1860, operating as an initial access facilitator by providing remote access to target networks across the Middle East.
Linked to Iran’s Ministry of Intelligence and Security (MOIS), UNC1860 specializes in using customized tools and passive backdoors to gain persistent footholds in high-profile networks, particularly within government and telecommunications sectors.