A Microsoft Exchange bug made it possible for a Chinese-speaking malicious actor to hack into the building automation systems of various organisations and gain access to more-protected areas of their networks.
The building automation systems compromised are used to control HVAC systems, fire, and security.
Kaspersky researchers noticed that the advanced persistent threat (APT) group targeted devices that were unpatched against a known Microsoft Exchange vulnerability, CVE-2021-26855.
The bug is one of the Microsoft Exchange vulnerabilities collectively dubbed ProxyLogon.
This is concerning as it appears the APT group has many possible victims to target, with the Dutch Institute for Vulnerability Disclosure (DIVD) finding 46,000 Exchange servers still vulnerable to the ProxyLogon vulnerabilities.
Once the threat actor has infiltrated engineering computers within a company’s building automation system, it can compromise various parts of building infrastructure, including information security systems.
Attackers use a ShadowPad backdoor disguised as legitimate software to infiltrate such systems.
“Building automation systems are rare targets for advanced threat actors,” Kaspersky ICS CERT security expert Kirill Kruglov said.
“However, those systems can be a valuable source of highly confidential information and may provide the attackers with a backdoor to other, more secured, areas of infrastructures.”
“Since these attacks develop extremely rapidly, they must be detected and mitigated during their very early stages. Thus, our advice is to constantly monitor the mentioned systems, especially in critical sectors,” Kruglov added.