[ad_1]
Researchers have uncovered a threat actor that is targeting the emails of employees at various companies – including ones that focus on corporate development, mergers and acquisitions and large corporate transactions – for suspected espionage purposes.
The group, UNC3524, turned researchers’ heads by having a longer-than-average dwell time on victim networks, due in part to the group’s installation of backdoors on opaque network appliances like SAN arrays, load balancers and wireless access point controllers that do not support security tools like antivirus or endpoint protection. Victims have been located in the U.S., Germany and Singapore, said researchers.
“The high level of operational security, low malware footprint, adept evasive skills, and a large Internet of Things (IoT) device botnet set this group apart and emphasize the ‘advanced’ in Advanced Persistent Threat,” said Mandiant researchers in a Monday analysis.
It is unknown how the group gains initial access. Once attackers access the victim networks, they deploy a novel backdoor (which researchers call QUIETEXIT), based on the open-source Dropbear SSH client-server software, and in some cases a secondary backdoor (called REGEORG). Both of these backdoors support the proxying of traffic via SOCKS, and the threat actor establishes a SOCKS tunnel in order to execute tools to steal data from the computer without a trace.
“Once UNC3524 established a foothold in the network they demonstrated a very low malware footprint and instead relied on built-in Windows protocols,” said researchers. “During our incident response investigations, we traced most accesses to a victim appliance infected with QUIETEXIT. QUIETEXIT supports the full functionality of SSH, and our observation is consistent with UNC3524 using it to establish a SOCKS tunnel into the victim environments.”
[ad_2]
Source link