{"id":14404,"date":"2025-07-07T12:24:17","date_gmt":"2025-07-07T12:24:17","guid":{"rendered":"https:\/\/newestek.com\/?p=14404"},"modified":"2025-07-07T12:24:17","modified_gmt":"2025-07-07T12:24:17","slug":"nighteagle-hackers-exploit-microsoft-exchange-flaw-to-spy-on-chinas-strategic-sectors","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=14404","title":{"rendered":"NightEagle hackers exploit Microsoft Exchange flaw to spy on China\u2019s strategic sectors"},"content":{"rendered":"<div>\n<div id=\"remove_no_follow\">\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<section class=\"wp-block-bigbite-multi-title\">\n<div class=\"container\"><\/div>\n<\/section>\n<p>A previously undocumented Advanced Persistent Threat (APT) group, \u201cNightEagle,\u201d has been found targeting the Chinese government and critical sectors using an unidentified Microsoft Exchange zero-day flaw.<\/p>\n<p>According to a discovery made by RedDrip, the threat intelligence unit of Chinese cybersecurity firm QiAnXin Technology, the threat group has been compromising Microsoft Exchange servers through a sophisticated zero-day exploit chain to steal confidential mailbox data.<\/p>\n<p>\u201cSince 2023, QianXin has been continuously tracking a top APT group which holds an unknown Exchange vulnerability exploitation chain and has a substantial fund to purchase a large amount of network assets, such as VPS servers and domain names,\u201d said RedDrip researchers in a report. \u201cThis group has long targeted top companies and institutions in China\u2019s high-tech, chip semiconductor, quantum technology, artificial intelligence, and large language models, military industry, and other fields for cyber attacks.\u201d<\/p>\n<p>Researchers said they named the group NightEagle for its speedy operations and consistent activity during nighttime hours.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Exchange zero-day for IIS hijack<\/h2>\n<p>According to the analysis, NighEagle leverages an unidentified <a href=\"https:\/\/www.csoonline.com\/article\/2117846\/rise-of-zero-day-exploits-reshape-security-recommendations.html\">zero-day<\/a> vulnerability in Microsoft Exchange to harvest the machineKey, enabling unauthorized deserialization and basic shell access. This allows the attackers to implant a .NET loader within Microsoft\u2019s <a href=\"https:\/\/www.csoonline.com\/article\/3820852\/hackers-breach-microsoft-iis-services-using-cityworks-rce-bug.html\">Internet Information Service<\/a> (IIS), enabling remote mailbox access.<\/p>\n<p>\u201cAfter a comprehensive analysis of the attack activities of the NightEagle group, we found that it possesses a complete set of unknown Exchange vulnerability exploitation chain weapons,\u201d the researchers said. \u201cHowever, at present, we have only obtained the process in which attackers obtain the key through unknown means and then steal Exchange data.\u201d<\/p>\n<p>The accessed machineKey is crucial in .NET and ASP.NET applications like Exchange, used to sign and validate authentication tokens, cookies, and encrypted data. Once they had the machine key, the attackers sent a crafted payload that, when deserialized by the Exchange server, led to remote code execution (RCE).<\/p>\n<p>The RCE was mostly targeted at accessing and exfiltrating mailbox content, possibly including attachments, internal communications and sensitive business correspondence. Queries sent to Microsoft for comments on the alleged zero-day exploit went unanswered.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Attackers pursued stealthy persistence<\/h2>\n<p>Following successful exploitation of the zero-day, attackers deploy a modified Go-based version of Chisel, an open-source SOCKS tunneling tool, scheduling it to run every four hours and establish covert tunnels to their C2 servers.<\/p>\n<p>This allowed them to move in and out of the network whenever they wanted, enabling persistence for over a year, even after initial infections were cleaned up.<\/p>\n<p>\u201cWe found through the landing time of the Chisel malware and the attack traffic time saved by the EDR that the attack time was from 9 pm to 6 am Beijing time,\u201d the researchers <a href=\"https:\/\/github.com\/RedDrip7\/NightEagle_Disclose\/blob\/main\/Exclusive%20disclosure%20of%20the%20attack%20activities%20of%20the%20APT%20group%20NightEagle.pdf\">said<\/a>. \u201cThe working hours of this group were very fixed, and they never worked overtime or stole data after work hours. Based on the time zone analysis, we think the group is from a country in North America.\u201d Domain registration by the group suggested that NightEagle\u2019s targets shift in response to geopolitical developments, such as launching attacks on Chinese sectors using large AI models as the country\u2019s AI markets expand, researchers noted.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>A previously undocumented Advanced Persistent Threat (APT) group, \u201cNightEagle,\u201d has been found targeting the Chinese government and critical sectors using an unidentified Microsoft Exchange zero-day flaw. According to a discovery made by RedDrip, the threat intelligence unit of Chinese cybersecurity firm QiAnXin Technology, the threat group has been compromising Microsoft Exchange servers through a sophisticated zero-day exploit chain to steal confidential mailbox data. \u201cSince 2023,&#8230; <\/p>\n<p class=\"more\"><a class=\"more-link\" href=\"https:\/\/newestek.com\/?p=14404\">Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-14404","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14404","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=14404"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14404\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=14404"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=14404"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=14404"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}