Cybersecurity researchers recently discovered a new cyberattack campaign targeting critical infrastructure organizations across Asia. The activity was analyzed by security experts from Palo Alto Networks Unit 42 after observing suspicious activity on several networks. The attackers are mainly targeting important sectors such as aviation, energy, telecommunications, government agencies, technology companies, law enforcement, and pharmaceutical organizations. Since these industries handle sensitive systems and data, they often become key targets for cyber espionage.

Digital network infrastructure visualization showing interconnected systems that can be exploited during large-scale cyberattacks.

Researchers grouped this activity under the name CL-UNK-1068, which is used to track related malicious operations. The exact identity of the attackers is still unknown, but their actions show clear signs of cyber-espionage activity. Instead of immediately damaging systems, the attackers focus on quietly collecting sensitive information. This suggests that their goal is long-term access and intelligence gathering from targeted organizations.

The attack usually begins when hackers exploit vulnerabilities in publicly accessible web servers. Web servers are commonly used to host websites and applications, making them a frequent target for attackers. If these servers are not properly secured or updated, they can allow unauthorized access. Once the attackers gain entry, they install a malicious script known as a web shell.

Large enterprise data center with rows of servers representing critical infrastructure systems targeted in cyberattacks across Asia.

A web shell allows attackers to remotely control the compromised server through the internet. Using this access, they can run commands, upload files, and explore other parts of the network. This step gives them a stable foothold inside the organization’s systems. From there, the attackers can begin searching for valuable data and credentials.

After entering the network, the attackers start looking for sensitive configuration files stored on Windows web servers. These files often contain important system information and sometimes even authentication details. Researchers observed attackers searching for files such as web.config, .aspx, .asmx, .asax, and .dll. These files are commonly stored inside the C:\inetpub\wwwroot directory used by many Windows web applications.

Digital surveillance eye over computer code representing cyber espionage and hacker monitoring of compromised systems.

To extract credentials, the attackers rely on several well-known hacking tools. One of the primary tools used in the attacks is Mimikatz, a program designed to collect login credentials from Windows systems. It works by extracting authentication information stored in system memory. This allows attackers to recover usernames, passwords, and password hashes.

Researchers also found evidence of another tool called LsaRecorder being used during the attacks. This tool captures Windows login credentials by interacting with authentication functions inside the system. In addition, attackers used DumpItForLinux together with Volatility to analyze system memory. These tools help attackers recover password data and other sensitive authentication information.

Cybersecurity analyst performing memory forensics analysis to detect credential dumping tools like Mimikatz used in cyberattacks.

The investigation also revealed that attackers attempted to retrieve database credentials from Microsoft SQL Server Management Studio. They used a password export tool to extract information from a file called sqlstudio.bin, which stores database connection details. By obtaining this information, attackers could gain access to important database systems. Researchers believe the attackers may have links to China based on certain technical indicators, although investigations are still ongoing.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news