Security News > 2023 > July > Microsoft Exchange servers compromised by Turla APT
Turla has been targeting defense sector organizations in Ukraine and Eastern Europe with DeliveryCheck and Kazuar backdoors / infostealers and has been using compromised Microsoft Exchange servers to control them.
Turla APT. Turla is a sophisticated and persistent APT group that has been active for over 10 years and is believed to be sponsored by the Russian state.
Microsoft says Kazuar is a "Fully-featured implant".
"The threat actor specifically aims to exfiltrate files containing messages from the popular Signal Desktop messaging application, which would allow the actor to read private Signal conversations, as well as documents, images, and archive files on targeted systems," Microsoft noted.
Turla also used Desired State Configuration - a PowerShell feature that allows administrators to automate the configuration of Linux and Windows - to install server-side components of the DeliveryCheck malware into Microsoft Exchange servers.
"DSC generates a managed object format file containing a PowerShell script that loads the embedded.NET payload into memory, effectively turning a legitimate server into a malware C2 center," Microsoft explained.
News URL
https://www.helpnetsecurity.com/2023/07/20/turla-compromised-microsoft-exchange/
Related news
- Hackers exploit Cityworks RCE bug to breach Microsoft IIS servers (source)
- Microsoft fixes bug causing Windows Server 2025 boot errors (source)
- Microsoft's End of Support for Exchange 2016 and 2019: What IT Teams Must Do Now (source)
- Microsoft Exchange Online outage affects Outlook web users (source)
- Microsoft: Exchange Online bug mistakenly quarantines user emails (source)