Security News > 2022 > May > Cyberspies breach networks via IP cameras to steal Exchange emails
A newly discovered and uncommonly stealthy Advanced Persistent Threat group is breaching corporate networks to steal Exchange emails from employees involved in corporate transactions such as mergers and acquisitions.
"Once UNC3524 successfully obtained privileged credentials to the victim's mail environment, they began making Exchange Web Services API requests to either the on-premises Microsoft Exchange or Microsoft 365 Exchange Online environment," Mandiant said.
The command-and-control server for this backdoor is also installed on the point of access to the victims' environments, namely Internet exposed LifeSize and D-Link IP videoconferencing camera systems, likely with default credentials.
In some attacks, UNC3524 has also deployed the reGeorg web shell on DMZ web servers to create a SOCKS tunnel as an alternate access point into its victims' networks.
After gaining access and deploying its backdoors, UNC3524 obtained privileged credentials to their victims' mail environment and started targeting on-premises Microsoft Exchange or Microsoft 365 Exchange Online mailboxes via Exchange Web Services API requests.
They usually steal all emails received by "Executive teams and employees that work in corporate development, mergers and acquisitions, or IT security staff" over a specific date range instead of picking emails of interest or using keyword-filtering.