A cyber-spy group is targeting Microsoft Exchange deployments to steal data related to mergers and acquisitions and large corporate transactions, according to Mandiant.
The infosec giant’s researchers have dubbed the cyber-espionage threat group UNC3524.
And while its techniques overlap with those used by what’s said to be “multiple” Russia-based cyber-spies, including the Kremlin-backed gangs accused of meddling in US elections and hijacking SolarWinds’ software updates, Mandiant says it can’t conclusively link UNC3524 to a previously seen advanced persistent threat group.
The cyber gang’s focus on corporate deals and M&A seem to point to a financial motivation for their misdeeds. However, “their ability to remain undetected for an order of magnitude longer than the average dwell time of 21 days in 2021” indicates espionage, Mandiant researchers Doug Bienstock, Melissa Derr, Josh Madeley, Tyler Mclellan and Chris Gardner wrote in an analysis of UNC3524’s tools, tactics and procedures.
“Part of the group’s success at achieving such a long dwell time can be credited to their choice to install backdoors on appliances within victim environments that do not support security tools, such as anti-virus or endpoint protection,” they explained.
The criminals put the “advanced” in advanced persistent threat group, they added, citing the group’s high level of operational security, low malware footprint, evasive skills, and having a large Internet-of-Things botnet army at its disposal.
Plus, each time a victim removed the intruders’ access, UNC3524 quickly found a way to break back into the organization’s network and “immediately” restarted stealing data.
Making a ‘quietexit’
In the analysis, Mandiant’s team detailed how the snoops deployed a novel backdoor that the threat hunters dubbed Quietexit; we’re told it is based on the open-source Dropbear SSH client-server software.
The threat researchers noted they don’t know how the crew gained initial access, though once they had broken in, they deployed the backdoor on opaque network appliances, such as SAN arrays, load balancers, and wireless access point controllers. These types of devices don’t typically support security tools, such as antivirus or endpoint detection products, which allowed UNC3524 to remain undetected for at least 18 months.
In some cases, Quietexit renamed itself to look like a legitimate file on the system. The malware then attempts to connect to a hard-coded command and control (C2) address, and Mandiant noted that the criminals also tend to use C2 domains that blend in with legitimate traffic.
For example: if the malware infected a load balancer, the gang used C2 domains that contained a string that could relate to the device vendor and OS name. “This level of planning demonstrates that UNC3524 understands incident response processes and tried to make their C2 traffic appear as legitimate to anyone that might scroll through DNS or session logs,” the researchers noted.
UNC3524 sometimes used a secondary backdoor to gain access: a ReGeorg web shell on a DMZ web server that created a SOCKS proxy.
However, they only used the web shell when the Quietexit backdoors stopped working, and they always used an obscure, “heavily obfuscated” version of ReGeorg that the NSA has linked [PDF] to APT28, also called Fancy Bear, a gang sponsored by Russia’s GRU military intelligence service.
After deploying backdoors, UNC3524 obtained privileged credentials for the victim’s email environment, and then began making Exchange Web Services (EWS) API requests to either Microsoft Exchange or Microsoft 365 Exchange Online.
The gang specifically targets executive teams’ mailboxes, or employees that work in corporate development, M&A, or IT security, although Mandiant noted that targeting IT security is likely to determine if their data-theft operation has been detected.
Additionally, the methods that UNC3524 used for EWS impersonation and SPN credential addition are also similar to those used by Russian cyber-espionage gangs including APT29/Cozy Bear, which was the group behind the SolarWinds hack in late 2019. ®