{"id":3337,"date":"2024-09-25T16:19:22","date_gmt":"2024-09-25T08:19:22","guid":{"rendered":"https:\/\/blog.billows.com.tw\/?p=3337"},"modified":"2024-09-25T16:20:23","modified_gmt":"2024-09-25T08:20:23","slug":"%e4%b8%ad%e5%9c%8bapt%e7%b5%84%e7%b9%94-earth-baxia-%e5%88%a9%e7%94%a8-geoserver-%e6%bc%8f%e6%b4%9e%e6%94%bb%e6%93%8a%e4%ba%9e%e5%a4%aa%e5%9c%b0%e5%8d%80%e5%9c%8b%e5%ae%b6","status":"publish","type":"post","link":"https:\/\/blog.billows.com.tw\/?p=3337","title":{"rendered":"\u4e2d\u570bAPT\u7d44\u7e54Earth Baxia\u5229\u7528GeoServer\u6f0f\u6d1e\u653b\u64ca\u4e9e\u592a\u5730\u5340\u570b\u5bb6"},"content":{"rendered":"\n<p>\u4e2d\u570b\u99ed\u5ba2\u7d44\u7e54Earth Baxia\u7684\u653b\u64ca\u76ee\u6a19\u64f4\u53ca\u83f2\u5f8b\u8cd3\u3001\u97d3\u570b\u3001\u8d8a\u5357\u3001\u53f0\u7063\u548c\u6cf0\u570b\u7b49\u5730<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"820\" height=\"480\" src=\"https:\/\/blog.billows.com.tw\/wp-content\/uploads\/2024\/09\/Earth-Baxia-3.jpg\" alt=\"\" class=\"wp-image-3338\" srcset=\"https:\/\/blog.billows.com.tw\/wp-content\/uploads\/2024\/09\/Earth-Baxia-3.jpg 820w, https:\/\/blog.billows.com.tw\/wp-content\/uploads\/2024\/09\/Earth-Baxia-3-300x176.jpg 300w, https:\/\/blog.billows.com.tw\/wp-content\/uploads\/2024\/09\/Earth-Baxia-3-768x450.jpg 768w\" sizes=\"auto, (max-width: 820px) 100vw, 820px\" \/><figcaption class=\"wp-element-caption\">Photo Credit: SOC Prime<\/figcaption><\/figure>\n\n\n\n<p>\u622a\u81f32024\u5e74\uff0c\u4e2d\u570b\u652f\u6301\u7684\u99ed\u5ba2\u7d44\u7e54\u5df2\u8e8b\u8eab\u570b\u5bb6\u652f\u6301\u7684\u7db2\u8def\u5a01\u8105\u524d\u6bb5\u73ed\u3002\u7d93\u904e\u4e0a\u534a\u5e74\uff0c\u8cc7\u5b89\u7814\u7a76\u4eba\u54e1\u767c\u73fe\u4e86\u4e00\u7cfb\u5217\u7531<a href=\"https:\/\/socprime.com\/blog\/apt40-attacks-detection-peoples-republic-of-china-state-sponsored-hackers-rapidly-exploit-newly-revealed-vulnerabilities-for-cyber-espionage\/\" target=\"_blank\" rel=\"noreferrer noopener\">APT40<\/a>\u3001<a href=\"https:\/\/socprime.com\/blog\/velvet-ant-activity-detection-china-backed-cyber-espionage-group-launches-a-prolonged-attack-using-malware-deployed-on-the-f5-big-ip-devices\/\" target=\"_blank\" rel=\"noreferrer noopener\">Velvet Ant<\/a>\u3001<a href=\"https:\/\/socprime.com\/blog\/unc3886-novel-china-nexus-cyber-espionage-threat-actor-exploits-fortinet-vmware-zero-days-custom-malware-for-long-term-spying\/\" target=\"_blank\" rel=\"noreferrer noopener\">UNC3886<\/a>\u3001<a href=\"https:\/\/socprime.com\/blog\/earth-preta-apt-attack-detection-china-linked-apt-hits-asia-with-doplugs-malware-a-new-plugx-variant\/\" target=\"_blank\" rel=\"noreferrer noopener\">Mustang Panda<\/a>\u7b49\u99ed\u5ba2\u7d44\u7e54\u4e3b\u5c0e\u7684\u9577\u671f\u7db2\u8def\u9593\u8adc\u6d3b\u52d5\u548c\u7834\u58de\u6027\u884c\u52d5\u3002\u9019\u4e9b\u7d44\u7e54\u8d8a\u4f86\u8d8a\u4f9d\u8cf4\u7db2\u8def\u91e3\u9b5a\u653b\u64ca\u548c CVE \u6f0f\u6d1e\u4f86\u6ef2\u900f\u76ee\u6a19\u7db2\u7d61\uff0c\u5c0d\u5168\u7403\u7db2\u8def\u5b89\u5168\u5f62\u6210\u8d8a\u4f86\u8d8a\u5927\u7684\u5a01\u8105\u3002<\/p>\n\n\n\n<p>\u6700\u8fd1\u8da8\u52e2\u79d1\u6280\u7814\u7a76\u4eba\u54e1\u5831\u544a\u63ed\u9732\uff0c\u4e00\u500b\u8207\u4e2d\u570b\u6709\u95dc\u7684 APT \u7d44\u7e54\u300c\u5730\u7403\u5df4\u590f\u300d(Earth Baxia) \u5df2\u7d93\u91dd\u5c0d\u53f0\u7063\u7684\u4e00\u500b\u653f\u5e9c\u6a5f\u69cb\u4ee5\u200b\u200b\u53ca\u4e9e\u592a\u5730\u5340 (APAC) \u7684\u5176\u4ed6\u570b\u5bb6\u767c\u52d5\u4e86\u7db2\u8def\u653b\u64ca\u3002<\/p>\n\n\n\n<p>\u8a72\u99ed\u5ba2\u7d44\u7e54\u4f7f\u7528\u9b5a\u53c9\u5f0f\u7db2\u8def\u91e3\u9b5a\u96fb\u5b50\u90f5\u4ef6\u4e26\u5229\u7528\u6700\u8fd1\u66f4\u65b0\u7684 GeoServer \u6f0f\u6d1e<a href=\"https:\/\/securityaffairs.com\/165812\/security\/cisa-adds-osgeo-geoserver-geotools-bug-to-its-known-exploited-vulnerabilities-catalog.html\">CVE-2024-36401<\/a>\u3002GeoServer \u662f\u4e00\u500b\u958b\u6e90\u4f3a\u670d\u5668\uff0c\u5b83\u5141\u8a31\u4f7f\u7528\u8005\u5171\u4eab\u548c\u7de8\u8f2f\u5730\u7406\u7a7a\u9593\u7684\u8cc7\u6599\u3002<\/p>\n\n\n\n<p>\u7814\u7a76\u4eba\u54e1\u8868\u793a\uff1a\u300c\u6839\u64da\u6536\u96c6\u5230\u7684\u7db2\u8def\u91e3\u9b5a\u96fb\u5b50\u90f5\u4ef6\u3001\u8a98\u990c\u6587\u4ef6\u4ee5\u53ca\u5c0d\u4e8b\u4ef6\u7684\u8abf\u67e5\uff0c\u653b\u64ca\u76ee\u6a19\u4e3b\u8981\u70ba\u83f2\u5f8b\u8cd3\u3001\u97d3\u570b\u3001\u8d8a\u5357\u3001\u53f0\u7063\u548c\u6cf0\u570b\u7b49\u5730\u7684\u653f\u5e9c\u6a5f\u69cb\u3001\u96fb\u4fe1\u516c\u53f8\u548c\u80fd\u6e90\u7522\u696d\u3002\u300d<\/p>\n\n\n\n<p>2024\u5e747 \u6708\uff0c\u7814\u7a76\u4eba\u54e1\u767c\u73fe\u5230\u91dd\u5c0d\u53f0\u7063\u67d0\u653f\u5e9c\u7d44\u7e54\u548c\u5176\u4ed6\u4e9e\u592a\u5730\u5340\u570b\u5bb6\u7684\u6a5f\u69cb\u7684\u53ef\u7591\u6d3b\u52d5\u3002\u7db2\u8def\u653b\u64ca\u8005\u5728\u906d\u4fb5\u5165\u7684\u7cfb\u7d71\u4e0a\u90e8\u7f72\u4e86\u5b9a\u88fd\u7684 Cobalt Strike (\u4e00\u7a2e\u6ef2\u900f\u6e2c\u8a66\u5de5\u5177) \u5143\u4ef6\uff0c\u4e26\u5b89\u88dd\u4e86\u4e00\u652f\u7a31\u70ba EAGLEDOOR \u7684\u65b0\u578b\u5f8c\u9580\u7a0b\u5f0f\uff0c\u9019\u652f\u5f8c\u9580\u7a0b\u5f0f\u4e26\u4e14\u652f\u63f4\u591a\u7a2e\u901a\u8a0a\u5354\u5b9a\u3002<\/p>\n\n\n\n<p>\u7d93\u8abf\u67e5\uff0c\u8cc7\u5b89\u5c08\u5bb6\u767c\u73fe\u6709\u591a\u53f0\u4f3a\u670d\u5668\u662f\u8a17\u7ba1\u65bc\u963f\u91cc\u96f2\u670d\u52d9\u4e0a\u6216\u662f\u4f4d\u65bc\u9999\u6e2f\u5730\u5340\u7684\u3002\u800c\u6709\u4e00\u4e9b\u884c\u52d5\u4e2d\u4f7f\u7528\u7684\u60e1\u610f\u8edf\u9ad4\u5247\u662f\u5f9e\u4e2d\u570b\u4e0a\u50b3\u5230 VirusTotal (\u514d\u8cbb\u7dda\u4e0a\u6383\u6bd2\u7db2\u7ad9) \u7684\u3002<\/p>\n\n\n\n<p>\u5206\u6790\u5176\u591a\u968e\u6bb5\u611f\u67d3\u93c8\u7684\u6d41\u7a0b\uff0c\u767c\u73fe\u5230\u662f\u5229\u7528\u5169\u7a2e\u4e0d\u540c\u7684\u6280\u8853\uff0c\u5305\u62ec\u9b5a\u53c9\u5f0f\u7db2\u8def\u91e3\u9b5a\u96fb\u5b50\u90f5\u4ef6\u548c\u5229\u7528 GeoServer \u7684\u7f3a\u9677\uff08<a href=\"https:\/\/thehackernews.com\/2024\/09\/geoserver-vulnerability-targeted-by.html\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2024-36401<\/a>\uff0cCVSS \u8a55\u5206\uff1a9.8\uff09\uff0c\u6700\u7d42\u76ee\u7684\u662f\u9001\u51faCobalt Strike \u548c\u5148\u524d\u672a\u77e5\u7684\u4ee3\u865fEAGLEDOOR \u7684\u5f8c\u9580\u7a0b\u5f0f\uff0c\u8a72\u7a0b\u5f0f\u5141\u8a31\u8cc7\u8a0a\u6536\u96c6\u548c\u8ca0\u8f09 (payload) \u50b3\u905e\u3002<\/p>\n\n\n\n<p>\u8a72APT \u7d44\u7e54\u4ef0\u8cf4 GrimResource \u548c AppDomainManager \u6ce8\u5165\u653b\u64ca (\u7528\u4f86\u8f09\u5165\u57f7\u884c\u60e1\u610f\u7a0b\u5f0f\u7684\u6280\u8853) \u4f86\u90e8\u7f72\u984d\u5916\u7684\u8ca0\u8f09\uff0c\u5176\u76ee\u7684\u662f\u964d\u4f4e\u53d7\u5bb3\u8005\u7684\u8b66\u89ba\u5fc3\u4e26\u4e14\u907f\u514d\u88ab\u5075\u6e2c\u5230\u3002<\/p>\n\n\n\n<p>\u6b64\u5916\uff0c\u65e5\u672c\u7db2\u8def\u5b89\u5168\u516c\u53f8 NTT Security Holdings \u6700\u8fd1<a href=\"https:\/\/jp.security.ntt\/tech_blog\/appdomainmanager-injection\" target=\"_blank\" rel=\"noreferrer noopener\">\u8a73\u7d30\u4ecb\u7d39\u4e86\u4e00\u500b\u8207<\/a><a href=\"https:\/\/thehackernews.com\/2024\/08\/apt41-hackers-use-shadowpad-cobalt.html\" target=\"_blank\" rel=\"noreferrer noopener\">APT41<\/a>\u6709\u95dc\u806f\u7684\u99ed\u5ba2\u96c6\u5718\uff0c\u64da\u7a31\u8a72\u96c6\u5718\u4f7f\u7528\u4e86\u76f8\u540c\u7684\u5169\u7a2e\u6280\u8853\u4f86\u91dd\u5c0d\u53f0\u7063\u3001\u83f2\u5f8b\u8cd3\u8ecd\u65b9\u4ee5\u53ca\u8d8a\u5357\u7684\u80fd\u6e90\u6a5f\u69cb\u3002<\/p>\n\n\n\n<p>\u7814\u7a76\u4eba\u54e1\u6307\u51fa\uff1a\u300c\u5730\u7403\u5df4\u590f (Earth Baxia) \u7684\u64da\u9ede\u5f88\u53ef\u80fd\u4f4d\u65bc\u4e2d\u570b\uff0c\u4ed6\u5011\u91dd\u5c0d\u591a\u500b\u4e9e\u592a\u5730\u5340\u570b\u5bb6\u7684\u653f\u5e9c\u548c\u80fd\u6e90\u90e8\u9580\u767c\u52d5\u4e86\u4e00\u7cfb\u5217\u7cbe\u7d30\u8a2d\u8a08\u7684\u653b\u64ca\u884c\u52d5\u3002\u300d<\/p>\n\n\n\n<p>\u300c\u4ed6\u5011\u5229\u7528 GeoServer \u6f0f\u6d1e\u3001\u9b5a\u53c9\u5f0f\u7db2\u8def\u91e3\u9b5a\u548c\u5ba2\u88fd\u5316\u60e1\u610f\u8edf\u9ad4\uff08Cobalt Strike \u548c EAGLEDOOR\uff09\u7b49\u5148\u9032\u6280\u8853\u4f86\u5165\u4fb5\u7cfb\u7d71\u548c\u5916\u6d29\u8cc7\u6599\u3002\u8a72APT \u7d44\u7e54\u5229\u7528\u516c\u6709\u96f2\u670d\u52d9\u4f86\u8a17\u7ba1\u60e1\u610f\u6a94\u6848\u4ee5\u53ca EAGLEDOOR \u7684\u652f\u63f4\u591a\u91cd\u901a\u8a0a\u5354\u5b9a\u7279\u6027\uff0c\u518d\u518d\u51f8\u986f\u4e86\u4ed6\u5011\u884c\u52d5\u7684\u8907\u96dc\u6027\u4ee5\u53ca\u9762\u5c0d\u4e0d\u540c\u5834\u57df\u7684\u61c9\u8b8a\u80fd\u529b\u3002\u300d<\/p>\n\n\n\n<p>EAGLEDOOR\u5f8c\u9580\u7a0b\u5f0f\u5171\u652f\u63f4\u56db\u7a2e\uff0c\u5305\u62ec\u900f\u904e DNS\u3001HTTP\u3001TCP \u548c Telegram \u4f86\u8207 C2 \u4f3a\u670d\u5668\u901a\u8a0a\u7684\u65b9\u6cd5\u3002\u524d\u4e09\u500b\u901a\u8a0a\u5354\u5b9a\u5176\u4e3b\u8981\u7528\u9014\u70ba\u50b3\u9001\u53d7\u5bb3\u8005\u72c0\u614b\uff0c\u4e0d\u904e\u6838\u5fc3\u529f\u80fd\u5247\u662f\u900f\u904e Telegram Bot API (\u7db2\u8def\u6a5f\u5668\u4eba\u61c9\u7528\u7a0b\u5f0f\u4ecb\u9762) \u4f86\u57f7\u884c\u7684\uff0c\u7528\u4ee5\u4e0a\u50b3\u548c\u4e0b\u8f09\u6a94\u6848\uff0c\u4ee5\u53ca\u57f7\u884c\u984d\u5916\u7684\u8ca0\u8f09\u3002\u800c\u7372\u53d6\u5230\u7684\u8cc7\u6599\u5247\u662f\u900f\u904ecurl.exe \u57f7\u884c\u7a0b\u5f0f\u4f86\u6d29\u6f0f\u51fa\u53bb\u3002<\/p>\n\n\n\n<p>Earth Baxia\u7d44\u7e54\u76f8\u95dc\u7684\u90e8\u5206\u7684\u5165\u4fb5\u6307\u6a19\uff08IOCs\uff09:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td>9f376a334f9362c6c316a56e2ffd4971<\/td><\/tr><tr><td>e51f2ea5a877e3638457e01bf46a20e1<\/td><\/tr><tr><td>9833566856f924e4a60e4dd6a06bf9859061f4be<\/td><\/tr><tr><td>d9b814f53e82f686d84647b7d390804b331f1583<\/td><\/tr><tr><td>dce0a4c008ea7c02d768bc7fd5a910e79781f925<\/td><\/tr><tr><td>e2b0c45beadff54771a0ad581670a10e76dc4cf1<\/td><\/tr><tr><td>04b336c3bcfe027436f36dfc73a173c37c66288c7160651b11561b39ce2cd25e<\/td><\/tr><tr><td>061bcd5b34c7412c46a3acd100167336685a467d2cbcd1c67d183b90d0bf8de7<\/td><\/tr><tr><td>1c13e6b1f57de9aa10441f63f076b7b6bd6e73d180e70e6148b3e551260e31ee<\/td><\/tr><tr><td>1c26d79a841fdca70e50af712f4072fea2de7faf5875390a2ad6d29a43480458<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u4e2d\u570b\u99ed\u5ba2\u7d44\u7e54Earth Baxia\u7684\u653b\u64ca\u76ee\u6a19\u64f4\u53ca\u83f2\u5f8b\u8cd3\u3001\u97d3\u570b\u3001\u8d8a\u5357\u3001\u53f0\u7063\u548c\u6cf0\u570b\u7b49\u5730 \u622a\u81f32024\u5e74\uff0c\u4e2d\u570b\u652f\u6301\u7684 <a class=\"read-more\" href=\"https:\/\/blog.billows.com.tw\/?p=3337\">READ MORE<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[183,174],"class_list":["post-3337","post","type-post","status-publish","format-standard","hentry","category-6","tag-iocs","tag-news"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/3337","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3337"}],"version-history":[{"count":2,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/3337\/revisions"}],"predecessor-version":[{"id":3340,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/3337\/revisions\/3340"}],"wp:attachment":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3337"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3337"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3337"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}