A cyberespionage group has targeted government agencies and big-name corporations throughout Asia since at least 2020, using the notorious ProxyShell vulnerabilities in Microsoft Exchange to gain initial access.
According to ESET, the crew it has dubbed as Worok may be associated with TA428, a similar group thought to be backed by China, that has been around since 2019.
Threat intelligence researchers with the cybersecurity software vendor saw activity from a range of advanced persistent threat (APT) groups in early 2021, after the disclosure of the ProxyShell (CVE-2021-34523) vulnerability, and one of those groups showed some similarities to TA428, such as common activity times, targeted verticals, and the use of ShadowPad, a backdoor used in a number of espionage campaigns.
Read more…
Source: The Register