Security News > 2022 > May > Cyber-spies target Microsoft Exchange to steal M&A info

A cyber-spy group is targeting Microsoft Exchange deployments to steal data related to mergers and acquisitions and large corporate transactions, according to Mandiant.

The infosec giant's researchers have dubbed the cyber-espionage threat group UNC3524.

While its techniques overlap with those used by what's said to be "Multiple" Russia-based cyber-spies, including the Kremlin-backed gangs accused of meddling in US elections and hijacking SolarWinds' software updates, Mandiant says it can't conclusively link UNC3524 to a previously seen advanced persistent threat group.

"Their ability to remain undetected for an order of magnitude longer than the average dwell time of 21 days in 2021" indicates espionage, Mandiant researchers Doug Bienstock, Melissa Derr, Josh Madeley, Tyler Mclellan and Chris Gardner wrote in an analysis of UNC3524's tools, tactics and procedures.

UNC3524 sometimes used a secondary backdoor to gain access: a ReGeorg web shell on a DMZ web server that created a SOCKS proxy.

UNC3524 obtained privileged credentials for the victim's email environment, and then began making Exchange Web Services API requests to either Microsoft Exchange or Microsoft 365 Exchange Online.

News URL

https://go.theregister.com/feed/www.theregister.com/2022/05/04/microsoft_exchange_mergers/