New covert spy group targets corporate mergers and acquisitions

- Advertisement -


A new spy hacks into corporate networks to steal emails from employees involved in large financial transactions such as mergers and acquisitions.

- Advertisement -

Mandate researchers, which first discovered the Advanced Persistent Threat (APT) group in December 2019 and is now tracking it as “UNC3524,” says that while the group’s corporate goals hint at financial motivation, its longer than usual time in the victim’s environment suggests intelligence gathering mandate. In some cases, UNC3524 went undetected among the victims for 18 months compared to an average stay of 21 days in 2021.

- Advertisement -

Mandiant attributes the group’s success in achieving such long latency to a unique approach to using the new backdoor – tracked as “QuietExit” – on network devices that do not support antivirus or endpoint discovery such as storage arrays, load balancers, and wireless access point controllers.

The QuietExit backdoor C&C servers are part of a botnet created by compromising D-Link and LifeSize conference room camera systems. exploit. TechCrunch contacted D-Link and LifeSize but received no response.

- Advertisement -

“High levels of operational security, low levels of malware, skillful evasion skills, and a large botnet of IoT devices distinguish this group and highlight the “advancement” in an advanced persistent threat,” Mandiant researchers write. on my blog Monday.

In addition, if the UNC3524 access was removed from the victim’s environment, the threat actor “wasted no time re-compromising the environment through various mechanisms, immediately restarting their data theft campaign,” Mandiant said. In some cases, UNC3524 installed an additional backdoor as a means of alternative access.

After deploying the backdoors, UNC3524 obtained privileged credentials for the email environment of its victims and began attacking on-premises Exchange servers and Microsoft 365 cloud mailboxes. The attacker focused on management teams and employees who work in corporate development, mergers and acquisitions, or personnel for IT security, which is likely a means of determining if their activity has been detected.

While Mandiant researchers have noted duplication of UNC3524 methods and well-known Russian cyber-espionage groups such as APT28 (or “Fancy Bear”) and APT29 (“Cozy Bear”) researchers noted that they could not definitively link the attacker to either of these groups.

American cybersecurity firm which was recently acquired by Google for $5.4 billion.added that UNC3524 uses compromised devices, which are often the most insecure and uncontrolled in the victim’s environment, so administrators should instead rely on their logs to detect unusual activity.


Credit: techcrunch.com /

- Advertisement -

Stay on top - Get the daily news in your inbox

DMCA / Correction Notice

Recent Articles

Related Stories

Stay on top - Get the daily news in your inbox