Security News > 2023 > May > New PowerExchange Backdoor Used in Iranian Cyber Attack on UAE Government

An unnamed government entity associated with the United Arab Emirates was targeted by a likely Iranian threat actor to breach the victim's Microsoft Exchange Server with a "Simple yet effective" backdoor dubbed PowerExchange.

The custom implant achieves this by making use of the Exchange Web Services API to connect to the victim's Exchange Server and uses a mailbox on the server to send and receive encoded commands from its operator.

"The Exchange Server is accessible from the internet, saving C2 communication to external servers from the devices in the organizations," Fortinet researchers said.

PowerExchange is suspected to be an upgraded version of TriFive, which was previously used by the Iranian nation-stage actor APT34 in intrusions targeting government organizations in Kuwait.

Communication via internet-facing Exchange servers is a tried-and-tested tactic adopted by the OilRig actors, as observed in the case of Karkoff and MrPerfectionManager.

"Using the victim's Exchange server for the C2 channel allows the backdoor to blend in with benign traffic, thereby ensuring that the threat actor can easily avoid nearly all network-based detections and remediations inside and outside the target organization's infrastructure," the researchers said.

News URL

https://thehackernews.com/2023/05/new-powerexchange-backdoor-used-in.html