Researchers have uncovered a threat actor that is targeting the emails of employees at various companies - including ones that focus on corporate development, mergers and acquisitions and large corporate transactions - for suspected espionage purposes.
The group, UNC3524, turned researchers’ heads by having a longer-than-average dwell time on victim networks, due in part to the group’s installation of backdoors on opaque network appliances like SAN arrays, load balancers and wireless access point controllers that do not support security tools like antivirus or endpoint protection. Victims have been located in the U.S., Germany and Singapore, said researchers.
“The high level of operational security, low malware footprint, adept evasive skills, and a large Internet of Things (IoT) device botnet set this group apart and emphasize the ‘advanced’ in Advanced Persistent Threat,” said Mandiant researchers in a Monday analysis.
It is unknown how the group gains initial access. Once attackers access the victim networks, they deploy a novel backdoor (which researchers call QUIETEXIT), based on the open-source Dropbear SSH client-server software, and in some cases a secondary backdoor (called REGEORG). Both of these backdoors support the proxying of traffic via SOCKS, and the threat actor establishes a SOCKS tunnel in order to execute tools to steal data from the computer without a trace.
“Once UNC3524 established a foothold in the network they demonstrated a very low malware footprint and instead relied on built-in Windows protocols,” said researchers. “During our incident response investigations, we traced most accesses to a victim appliance infected with QUIETEXIT. QUIETEXIT supports the full functionality of SSH, and our observation is consistent with UNC3524 using it to establish a SOCKS tunnel into the victim environments.”
“Each time a victim environment removed their access, the group wasted no time re-compromising the environment with a variety of mechanisms, immediately restarting their data theft campaign.”
After obtaining privileged credentials for the victim’s mail environment, the attackers made Exchange Web Services API Requests to the on-premises Microsoft Exchange or Microsoft 365 Exchange Online environments, said researchers.
“The methods that UNC3524 used to authenticate to the Exchange infrastructure evolved throughout the course of the intrusions; this may be a result of them periodically losing access due to the natural changes in corporate infrastructure or simply updating their tactics,” said researchers. “They authenticated to Exchange using the username and password of targeted accounts, using accounts holding ApplicationImpersonation rights, or using Service Principal credentials.”
Interestingly, the network appliances targeted by attackers typically run older versions of BSD or CentOS and it would require a substantial amount of planning for attackers to compile functional malware for them, said researchers. However, that planning apparently paid off: By targeting these devices, the group was able to remain undetected on victim environments for at least 18 months, much longer than the dwell time of 21 days that Mandiant researchers found was the average in 2021.
The threat actor also showed sophisticated operational security, evading detection by operating from devices in victim environment’s “blind spots” like servers running uncommon versions of Linux. Researchers also identified the attackers using legacy conference room camera systems that appeared to be infected as the command-and-control (C2) systems.
“UNC3524 also takes persistence seriously,” said researchers. “Each time a victim environment removed their access, the group wasted no time re-compromising the environment with a variety of mechanisms, immediately restarting their data theft campaign.”