Cyber-spies target Microsoft Exchange to steal M&A info

If a network snoop probes like a Kremlin agent, exploits like a Kremlin agent, it might be...


A cyber-spy group is targeting Microsoft Exchange deployments to steal data related to mergers and acquisitions and large corporate transactions, according to Mandiant.

The infosec giant's researchers have dubbed the cyber-espionage threat group UNC3524. 

And while its techniques overlap with those used by what's said to be "multiple" Russia-based cyber-spies, including the Kremlin-backed gangs accused of meddling in US elections and hijacking SolarWinds' software updates, Mandiant says it can't conclusively link UNC3524 to a previously seen advanced persistent threat group.

The cyber gang's focus on corporate deals and M&A seem to point to a financial motivation for their misdeeds. However, "their ability to remain undetected for an order of magnitude longer than the average dwell time of 21 days in 2021" indicates espionage, Mandiant researchers Doug Bienstock, Melissa Derr, Josh Madeley, Tyler Mclellan and Chris Gardner wrote in an analysis of UNC3524's  tools, tactics and procedures.

"Part of the group's success at achieving such a long dwell time can be credited to their choice to install backdoors on appliances within victim environments that do not support security tools, such as anti-virus or endpoint protection," they explained.

The criminals put the "advanced" in advanced persistent threat group, they added, citing the group's high level of operational security, low malware footprint, evasive skills, and having a large Internet-of-Things botnet army at its disposal.

Plus, each time a victim removed the intruders' access, UNC3524 quickly found a way to break back into the organization's network and "immediately" restarted stealing data.

Making a 'quietexit'

In the analysis, Mandiant's team detailed how the snoops deployed a novel backdoor that the threat hunters dubbed Quietexit; we're told it is based on the open-source Dropbear SSH client-server software. 

The threat researchers noted they don't know how the crew gained initial access, though once they had broken in, they deployed the backdoor on opaque network appliances, such as SAN arrays, load balancers, and wireless access point controllers. These types of devices don't typically support security tools, such as antivirus or endpoint detection products, which allowed UNC3524 to remain undetected for at least 18 months. 

In some cases, Quietexit renamed itself to look like a legitimate file on the system. The malware then attempts to connect to a hard-coded command and control (C2) address, and Mandiant noted that the criminals also tend to use C2 domains that blend in with legitimate traffic. 

For example: if the malware infected a load balancer, the gang used C2 domains that contained a string that could relate to the device vendor and OS name. "This level of planning demonstrates that UNC3524 understands incident response processes and tried to make their C2 traffic appear as legitimate to anyone that might scroll through DNS or session logs," the researchers noted.

UNC3524 sometimes used a secondary backdoor to gain access: a ReGeorg web shell on a DMZ web server that created a SOCKS proxy.

However, they only used the web shell when the Quietexit backdoors stopped working, and they always used an obscure, "heavily obfuscated" version of ReGeorg that the NSA has linked [PDF] to APT28, also called Fancy Bear, a gang sponsored by Russia's GRU military intelligence service.

After deploying backdoors, UNC3524 obtained privileged credentials for the victim's email environment, and then began making Exchange Web Services (EWS) API requests to either Microsoft Exchange or Microsoft 365 Exchange Online. 

The gang specifically targets executive teams' mailboxes, or employees that work in corporate development, M&A, or IT security, although Mandiant noted that targeting IT security is likely to determine if their data-theft operation has been detected.

Additionally, the methods that UNC3524 used for EWS impersonation and SPN credential addition are also similar to those used by Russian cyber-espionage gangs including APT29/Cozy Bear, which was the group behind the SolarWinds hack in late 2019. ®


Other stories you might like

  • Did ID.me hoodwink Americans with IRS facial-recognition tech, senators ask
    Biz tells us: Won't someone please think of the ... fraud we've stopped

    Democrat senators want the FTC to investigate "evidence of deceptive statements" made by ID.me regarding the facial-recognition technology it controversially built for Uncle Sam.

    ID.me made headlines this year when the IRS said US taxpayers would have to enroll in the startup's facial-recognition system to access their tax records in the future. After a public backlash, the IRS reconsidered its plans, and said taxpayers could choose non-biometric methods to verify their identity with the agency online.

    Just before the IRS controversy, ID.me said it uses one-to-one face comparisons. "Our one-to-one face match is comparable to taking a selfie to unlock a smartphone. ID.me does not use one-to-many facial recognition, which is more complex and problematic. Further, privacy is core to our mission and we do not sell the personal information of our users," it said in January.

    Continue reading
  • Meet Wizard Spider, the multimillion-dollar gang behind Conti, Ryuk malware
    Russia-linked crime-as-a-service crew is rich, professional – and investing in R&D

    Analysis Wizard Spider, the Russia-linked crew behind high-profile malware Conti, Ryuk and Trickbot, has grown over the past five years into a multimillion-dollar organization that has built a corporate-like operating model, a year-long study has found.

    In a technical report this week, the folks at Prodaft, which has been tracking the cybercrime gang since 2021, outlined its own findings on Wizard Spider, supplemented by info that leaked about the Conti operation in February after the crooks publicly sided with Russia during the illegal invasion of Ukraine.

    What Prodaft found was a gang sitting on assets worth hundreds of millions of dollars funneled from multiple sophisticated malware variants. Wizard Spider, we're told, runs as a business with a complex network of subgroups and teams that target specific types of software, and has associations with other well-known miscreants, including those behind REvil and Qbot (also known as Qakbot or Pinkslipbot).

    Continue reading
  • Supreme Court urged to halt 'unconstitutional' Texas content-no-moderation law
    Everyone's entitled to a viewpoint but what's your viewpoint on what exactly is and isn't a viewpoint?

    A coalition of advocacy groups on Tuesday asked the US Supreme Court to block Texas' social media law HB 20 after the US Fifth Circuit Court of Appeals last week lifted a preliminary injunction that had kept it from taking effect.

    The Lone Star State law, which forbids large social media platforms from moderating content that's "lawful-but-awful," as advocacy group the Center for Democracy and Technology puts it, was approved last September by Governor Greg Abbott (R). It was immediately challenged in court and the judge hearing the case imposed a preliminary injunction, preventing the legislation from being enforced, on the basis that the trade groups opposing it – NetChoice and CCIA – were likely to prevail.

    But that injunction was lifted on appeal. That case continues to be litigated, but thanks to the Fifth Circuit, HB 20 can be enforced even as its constitutionality remains in dispute, hence the coalition's application [PDF] this month to the Supreme Court.

    Continue reading

Biting the hand that feeds IT © 1998–2022