Initial compromise of a U.S.-based global aerospace engineering company's network had been achieved by a Chinese state-backed cyberespionage operation through the exploitation of one of three unmanaged internet-exposed IBM AIX servers with default Apache Axis admin credentials, reports The Register.
Attackers' infiltration of the IBM AIX server incompatible with the firm's current security tools in March facilitated malicious activity for the next four months, including AxisInvoker web shell injection for remote box control, Kerberos data harvesting, and SSH key uploads, as well as network configuration data exfiltration, according to a report from Binary Defense.
More web shells and Cobalt Strike have also been distributed by the Chinese hackers, who then targeted the aerospace engineering firm's Microsoft Windows environment with NTLM relay attacks before being eventually blocked by Binary Defense's threat detection tools, said the report. "And immediately after we had removed them from the environment, another attack set off, which we attributed to the same group trying to get back in through other means," noted Binary Defense Director of Security Research John Dwyer.