Security News > 2023 > July > Microsoft Exchange servers compromised by Turla APT
Turla has been targeting defense sector organizations in Ukraine and Eastern Europe with DeliveryCheck and Kazuar backdoors / infostealers and has been using compromised Microsoft Exchange servers to control them.
Turla APT. Turla is a sophisticated and persistent APT group that has been active for over 10 years and is believed to be sponsored by the Russian state.
Microsoft says Kazuar is a "Fully-featured implant".
"The threat actor specifically aims to exfiltrate files containing messages from the popular Signal Desktop messaging application, which would allow the actor to read private Signal conversations, as well as documents, images, and archive files on targeted systems," Microsoft noted.
Turla also used Desired State Configuration - a PowerShell feature that allows administrators to automate the configuration of Linux and Windows - to install server-side components of the DeliveryCheck malware into Microsoft Exchange servers.
"DSC generates a managed object format file containing a PowerShell script that loads the embedded.NET payload into memory, effectively turning a legitimate server into a malware C2 center," Microsoft explained.
News URL
https://www.helpnetsecurity.com/2023/07/20/turla-compromised-microsoft-exchange/
Related news
- Microsoft re-releases Exchange updates after fixing mail delivery (source)
- Russia-Linked Turla Exploits Pakistani Hackers' Servers to Target Afghan and Indian Entities (source)
- Microsoft 365 apps crash on Windows Server after Office update (source)
- Microsoft fixes Office 365 apps crashing on Windows Server systems (source)
- Microsoft fixes Windows Server 2022 bug breaking device boot (source)
- Microsoft: Exchange 2016 and 2019 reach end of support in October (source)