A new Advanced Persistent Threat (APT) organization has been detected infiltrating business networks to acquire Exchange (on-premise and online) emails from personnel involved in corporate transactions such as mergers and acquisitions. The threat actor, now known as UNC3524, was found by Mandiant researchers who believe it has proved its “advanced” skills by maintaining access to its victims’ environments for over 18 months (in some instances).
“Once UNC3524 successfully obtained privileged credentials to the victim’s mail environment, they began making Exchange Web Services (EWS) API requests to either the on-premises Microsoft Exchange or Microsoft 365 Exchange Online environment,” said Mandiant. “In each of the UNC3524 victim environments, the threat actor would target a subset of mailboxes, focusing their attention on executive teams and employees that work in corporate development, mergers and acquisitions, or IT security staff.”
UNC3524 can survive by installing a recently discovered backdoor known as QUIETEXIT (inspired by the open-source Dropbear SSH software) on network equipment that lacks security monitoring and malware detection technologies. UNC3524 has also used the reGeorg web shell on DMZ web servers to construct a SOCKS tunnel as an additional entry point into its victims’ networks (a version connected by the NSA to the Russian-sponsored APT28/Fancy Bear group).
UNC3524 considerably prolongs the time between initial access and when victims identify its malicious behavior and cut off access by placing its malware on various equipment (e.g., wireless access point controllers, SAN arrays, and load balancers). According to Mandiant, even if that happens, the threat organization “wasted no time re-compromising the environment with various mechanisms, immediately restarting their data theft campaign.”
The QUIETEXIT backdoor command-and-control servers are elements of a botnet created by hacking Internet-connected LifeSize and D-Link IP videoconferencing camera systems using default credentials. UNC3524 got privileged credentials to its victims’ mail environment after obtaining access and implementing its backdoors. It began targeting on-premises Microsoft Exchange or Microsoft 365 Exchange Online mailboxes using Exchange Web Services (EWS) API queries.
Rather than identifying emails of interest or employing keyword-filtering (like Russian-backed Cozy Bear/APT29 does), they frequently take all emails received by “executive teams and personnel who work in corporate growth, mergers and acquisitions, or IT security professionals” over a specific date period. Given that UNC3524 has already been connected to various Russian-backed hacking organizations (including APT28 and APT29), Mandiant believes attribution is ambiguous and impossible.