Security News > 2023 > July > Microsoft Exchange servers compromised by Turla APT
Turla has been targeting defense sector organizations in Ukraine and Eastern Europe with DeliveryCheck and Kazuar backdoors / infostealers and has been using compromised Microsoft Exchange servers to control them.
Turla APT. Turla is a sophisticated and persistent APT group that has been active for over 10 years and is believed to be sponsored by the Russian state.
Microsoft says Kazuar is a "Fully-featured implant".
"The threat actor specifically aims to exfiltrate files containing messages from the popular Signal Desktop messaging application, which would allow the actor to read private Signal conversations, as well as documents, images, and archive files on targeted systems," Microsoft noted.
Turla also used Desired State Configuration - a PowerShell feature that allows administrators to automate the configuration of Linux and Windows - to install server-side components of the DeliveryCheck malware into Microsoft Exchange servers.
"DSC generates a managed object format file containing a PowerShell script that loads the embedded.NET payload into memory, effectively turning a legitimate server into a malware C2 center," Microsoft explained.
News URL
https://www.helpnetsecurity.com/2023/07/20/turla-compromised-microsoft-exchange/
Related news
- Microsoft fixes Windows Server performance issues from August updates (source)
- Microsoft confirms second 0-day exploited by Void Banshee APT (CVE-2024-43461) (source)
- Microsoft ends development of Windows Server Update Services (WSUS) (source)
- Microsoft fixes Remote Desktop issues caused by Windows Server update (source)
- Microsoft deprecates PPTP and L2TP VPN protocols in Windows Server (source)
- Microsoft confirms Windows Server 2025 blue screen, install issues (source)