China's 'Earth Baxia' Spies Exploit Geoserver to Target APAC Orgs
A China-linked cyber-espionage group has attacked Taiwanese government agencies, the Philippine and Japanese military, and energy companies in Vietnam, installing either the Cobalt Strike client or a custom backdoor known as EagleDoor on compromised machines.
Dubbed Earth Baxia by cybersecurity firm Trend Micro, the group primarily uses spear-phishing to compromise victims, but it has also exploited a vulnerability (CVE-2024-36401) in the open source GeoServer software used to distribute geospatial data. The GeoServer attacks appear to have started at least two months ago, with the Shadowserver Foundation noting that the attack first appeared in its logs on July 9. The Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerability (KEV) catalog on July 15.