Security News > 2022 > May > Cyber-spies target Microsoft Exchange to steal M&A info
A cyber-spy group is targeting Microsoft Exchange deployments to steal data related to mergers and acquisitions and large corporate transactions, according to Mandiant.
The infosec giant's researchers have dubbed the cyber-espionage threat group UNC3524.
While its techniques overlap with those used by what's said to be "Multiple" Russia-based cyber-spies, including the Kremlin-backed gangs accused of meddling in US elections and hijacking SolarWinds' software updates, Mandiant says it can't conclusively link UNC3524 to a previously seen advanced persistent threat group.
"Their ability to remain undetected for an order of magnitude longer than the average dwell time of 21 days in 2021" indicates espionage, Mandiant researchers Doug Bienstock, Melissa Derr, Josh Madeley, Tyler Mclellan and Chris Gardner wrote in an analysis of UNC3524's tools, tactics and procedures.
UNC3524 sometimes used a secondary backdoor to gain access: a ReGeorg web shell on a DMZ web server that created a SOCKS proxy.
UNC3524 obtained privileged credentials for the victim's email environment, and then began making Exchange Web Services API requests to either Microsoft Exchange or Microsoft 365 Exchange Online.
News URL
https://go.theregister.com/feed/www.theregister.com/2022/05/04/microsoft_exchange_mergers/
Related news
- Microsoft fixes Outlook clients not syncing over Exchange ActiveSync (source)
- Microsoft confirms Russian spies stole source code, accessed internal systems (source)
- 17,000+ Microsoft Exchange servers in Germany are vulnerable to attack, BSI warns (source)
- Germany warns of 17K vulnerable Microsoft Exchange servers exposed online (source)
- These 17,000 unpatched Microsoft Exchange servers are a ticking time bomb (source)
- Microsoft slammed for lax security that led to China's cyber-raid on Exchange Online (source)
- Microsoft slammed for lax security that led to China's cyber-raid on Exchange Online (source)
- Microsoft still unsure how hackers stole MSA key in 2023 Exchange attack (source)
- US Cyber Safety Review Board on the 2023 Microsoft Exchange Hack (source)
- Microsoft breach allowed Russian spies to steal emails from US government (source)