Security News > 2022 > May > UNC3524: The nearly invisible cyberespionage threat sitting on network appliances

A new report from Mandiant reveals details about an ongoing cyberespionage operation run by a threat actor dubbed UNC3524, monitored by Mandiant since December 2019.

While such targeting may suggest financial motivations, Mandiant believes it's instead motivated by espionage, because the threat actor maintains its access and remains undetected for an order of magnitude longer than the average dwell time of 21 days.

While the initial compromise remains unknown at this point, UNC3524 deploys a previously unreported backdoor tracked by Mandiant as QUIETEXIT immediately after gaining initial access.

UNC3524 decided to install the QUIETEXIT backdoor on opaque network appliances within the victims environments: Backdoors on SAN arrays, load balancers and wireless access point controllers.

Mandiant observed the mailboxes targeted by UNC3524 belonged to executive teams and employees working in corporate development, mergers and acquisitions, or IT security staff, possibly to check if they were detected or not.

One key element to hunt for is the use of the SSH protocol on other ports than the usual port 22, particularly from network appliances and even more from network appliances which are not centrally managed.

News URL

https://www.techrepublic.com/article/unc3524-invisible-threat-network-appliances/