"IP Cameras Being Used by Cyberspies to Install Backdoors, Harvest Exchange Emails"
A new Advanced Persistent Threat (APT) organization, now known as UNC3524, has been compromising business networks to obtain Exchange (on-premise and online) emails from personnel who are involved in mergers, acquisitions, and other corporate transactions. Mandiant researchers say UNC3524 is highly advanced based on its ability to maintain access to its victims' environments for more than 18 months. According to Mandiant, when UNC3524 manages to obtain privileged credentials to the victim's mail environment, they begin making Exchange Web Services (EWS) Application Programming Interface (API) requests to the on-premises Microsoft Exchange or Microsoft 365 Exchange Online environment. In each of the victim environments, the threat actor targets a set of mailboxes, focusing on executive teams and employees working in corporate development, mergers, acquisitions, or IT security. The APT survives by installing QUIETEXIT, a recently discovered backdoor inspired by the open-source Dropbear Secure Shell Protocol (SSH) software. UNC3524 installs this backdoor on network equipment lacking security monitoring and malware detection technologies. The QUIETEXIT backdoor command-and-control (C2) servers are elements of a botnet composed of hacked Internet-connected LifeSize and D-Link IP videoconferencing camera systems. The group has also used the reGeorg web shell on demilitarized zone (DMZ) web servers to create a SOCKS tunnel as an extra entry point into its victims' networks. This article continues to discuss findings regarding UNC3524's tools, techniques, and operations.