ProxyLogon critical flaw exploited by Chinese APT gangs

ProxyLogon Critical Flaw Vulnerability Exploit Chinese APT Hacker Gangs

A China-based threat group managed to infiltrate the building automation systems of multiple Asian organisations by abusing the ProxyLogon bug in MS Exchange. The attackers were further seen acquiring access to the more obscured areas of the infected network after they loaded the backdoor.

A group of cybersecurity researchers discovered that the advanced persistent threat (APT) group targets unpatched devices with the CVE-2021-26855 critical vulnerability. This flaw is commonly known to researchers and malicious entities as the Microsoft Exchange ProxyLogon.

Building automation systems are usually a rare target among advanced persistent threat groups.

The challenging part for the researchers is that the targeted systems may contain confidential information and could be multiplied to infect other areas of infrastructure. The most common impacted infrastructure is the information security systems.

Based on reports, the adversaries may have numerous potential victims to target since an institute for vulnerabilities revealed that there were more than 46 thousand unpatched servers against the ProxyLogon Flaw last year.


The ProxyLogon flaw has attracted numerous threat groups, especially the Chinese-speaking ones.


The campaigns using the ProxyLogon vulnerability were initiated by several malicious entities in March last year. However, the next campaign has seen a surge of Chinese threat groups that constantly find ways to exploit the flaw. In addition, the researchers found out that some Chinse actors used the backdoor called ShadowPad.

The backdoor impersonated legitimate software and was seen on industrial control systems of a telecom company in Pakistan. In that instance, the adversary launched malware and tools like scripts for credential stealing, Cobalt Strike beacon, web shells, PlugX and open-source nextnet scanners.

The researchers also connected the attack campaign with another Chinese-based APT group called Hafnium, which is notorious for utilising Exchange ProxyLogon exploits.

As of now, the Chinese-sponsored APT group is actively seeking sensitive or precious data. Cybersecurity experts claim that the advanced persistent threat group will attack again and attempt to seek new targets.

Organisations should encrypt their sensitive information and implement intelligent access control to protect their data. These details should also be the top priority of every entity to mitigate any chance of breach from such attacks.

About the author

Leave a Reply