Threat Intelligence

Unmanaged IBM AIX server enabled Chinese compromise of US aerospace firm

Share
Chinese hacker. Laptop with binary computer code and china flag

Initial compromise of a U.S.-based global aerospace engineering company's network had been achieved by a Chinese state-backed cyberespionage operation through the exploitation of one of three unmanaged internet-exposed IBM AIX servers with default Apache Axis admin credentials, reports The Register.

Attackers' infiltration of the IBM AIX server incompatible with the firm's current security tools in March facilitated malicious activity for the next four months, including AxisInvoker web shell injection for remote box control, Kerberos data harvesting, and SSH key uploads, as well as network configuration data exfiltration, according to a report from Binary Defense.

More web shells and Cobalt Strike have also been distributed by the Chinese hackers, who then targeted the aerospace engineering firm's Microsoft Windows environment with NTLM relay attacks before being eventually blocked by Binary Defense's threat detection tools, said the report. "And immediately after we had removed them from the environment, another attack set off, which we attributed to the same group trying to get back in through other means," noted Binary Defense Director of Security Research John Dwyer.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.