China‑Linked Hackers Exploit Decade‑Old Bugs for Long‑Term Espionage

What happened

Security researchers at Broadcom’s Symantec and Carbon Black teams uncovered an espionage campaign by a China‑linked threat actor. The attackers used a mix of well‑known vulnerabilities (including the CVE‑2021‑44228 ‘Log4j’ flaw, CVE‑2017‑9805 in Apache Struts, and CVE‑2017‑17562 in GoAhead Web Server) to establish persistence inside a U.S. non‑profit network tied to policy‑influence efforts.

Further activity revealed the exploitation of misconfigured Microsoft IIS servers via exposed ASP.NET machine keys, deploying the backdoor known as TOLLBOOTH (also referred to as HijackServer) along with web shells, rootkits, and remote access tools. 

Who is affected

While the initial victim is a U.S. non‑profit organization involved in policy discourse, the wider campaign spans multiple sectors and regions, including India, Latin America, Europe, and the U.S.

The threat actor’s focus on legacy/unpatched vulnerabilities, as well as server-platform misconfigurations, means that any organization still running older software components, especially internet-facing servers, is at an elevated risk.

Why CISOs should care

1. The campaign demonstrates that old vulnerabilities, some of which are years past their patch date, remain viable attack vectors. The use of Log4j (2021) and even 2017‑era flaws underscores the enduring risk of legacy exposures.
2. The shift toward persisting stealthily rather than executing rapid, disruptive attacks means adversaries aim for long‑term footholds, expanding from reconnaissance to credential harvesting and domain‑level compromise.
3. Mis‑configured services (such as IIS with exposed machine keys) are being leveraged widely, not just zero‑day exploits, so patch management alone isn’t sufficient. Configuration hygiene, monitoring, and segmentation matter.
4. Given the geopolitical context (China-linked actors, global scope), the risk is not just of data theft but also of influence operations, network compromise, and advanced persistent threat (APT) campaigns. CISOs must treat this as a strategic risk, not just an operational one.

3 Practical Actions

1. Perform immediate scanning and remediation of legacy vulnerabilities: Identify all internet‑facing servers and components (e.g., Log4j, Struts, GoAhead) and ensure they are patched or isolated. Review the patch backlog for vulnerabilities that have been outstanding for 3 to 5 years.
2. Audit server configurations and harden critical services: For IIS and similar platforms, verify that no machine keys are exposed, ensure proper segmentation, disable unnecessary services, apply least-privilege controls, and review scheduled tasks for persistence indicators such as anomalous “msbuild.exe” processes or side-loaded DLLs.
3. Deploy and tune detection for persistence and credential abuse patterns: Monitor for unusual scheduled tasks, DLL sideloading, web‑shell execution, use of tools like Mimikatz or netstat scripts, and anomalous C2 communications. Integrate this into your threat‑hunting playbook, leveraging logs from domain controllers, EDR/endpoint, and network gear to detect lateral movement early.
   

By proactively targeting the types of legacy exposures and misconfigurations exploited in this campaign, CISOs can reduce their attack surface and enhance detection capabilities before adversaries establish stealthy footholds.