[ad_1]
A recently discovered and rare Advanced Persistent Threat (APT) group is breaching corporate networks to steal Exchange emails (on-premises and online) from employees involved in corporate transactions such as mergers and acquisitions.
Mandiant researchers, who discovered the threat actor and are now tracking him as UNC3524they say the group has demonstrated its “advanced” capabilities as it maintained access to the environments of its victims for more than 18 months (in some cases).
“Once UNC3524 successfully obtained privileged credentials for the victim’s mail environment, it began making Exchange Web Services (EWS) API requests to the on-premises Microsoft Exchange or Microsoft 365 Exchange Online environment,” Mandiant said.
“In each of the UNC3524 victim environments, the threat actor would target a subset of mailboxes, focusing their attention on executive teams and employees working on corporate development, mergers and acquisitions, or IT security personnel.”
UNC3524 can persist by deploying a newly discovered backdoor called QUIETEXIT (developed using open source Dropbear SSH software as inspiration) on network devices without support for security monitoring and malware detection tools.
In some attacks, UNC3524 also deployed the reGeorg web shell (a version linked by the NSA to the Russian-sponsored APT28/Fancy Bear group) on DMZ web servers to create a SOCKS tunnel as an alternate access point to their victims’ networks.
By deploying its malware to these devices (for example, wireless access point controllers, SAN arrays, and load balancers), UNC3524 greatly extends the interval between initial access and the time that victims detect its malicious activity and hack the access.
Even when that happens, though, Mandiant says the threat group “wasted no time re-compromising the environment with a variety of mechanisms, immediately restarting their data theft campaign.”
The QUIETEXIT command and control backdoor servers are part of a botnet created by compromising Internet-exposed LifeSize and D-Link IP video conferencing camera systems, likely with default credentials.
After gaining access and deploying its backdoors, UNC3524 obtained privileged credentials for its victims’ mail environment and began targeting on-premises Microsoft Exchange or Microsoft 365 Exchange Online mailboxes via Exchange Web Services API requests. (EWS).
They typically steal all emails received by “executive teams and employees working on corporate development, mergers and acquisitions, or IT security personnel” during a specific date range instead of selecting emails of interest or using the keyword filtering (this is a tactic used by Russian-backed Cozy Bear / APT29).
Since UNC3524 has used tactics and tools previously linked to multiple Russian-backed hacking groups (including APT28 and APT29), Mandiant said the attribution is unclear and cannot link this activity to a specific threat group.
[ad_2]