Corporate networks are being infiltrated by the novel advanced persistent threat group UNC3524 to exfiltrate Microsoft Exchange emails from employees, reports BleepingComputer.
UNC3524 also has the capability to maintain over 18 months of access to some compromised environments through the deployment of the recently discovered QUIETEXIT backdoor on network appliances without malware detection and security monitoring support, as well as the reGeorg web shell on DMZ web servers, according to a report from Mandiant.
"Once UNC3524 successfully obtained privileged credentials to the victim's mail environment, they began making Exchange Web Services (EWS) API requests to either the on-premises Microsoft Exchange or Microsoft 365 Exchange Online environment. In each of the UNC3524 victim environments, the threat actor would target a subset of mailboxes, focusing their attention on executive teams and employees that work in corporate development, mergers and acquisitions, or IT security staff," said researchers.
While UNC3524 has been leveraging tactics previously used by Russian state-sponsored threat groups, Mandiant has not conclusively attributed its activity to such threat actors.
Ukrainian hacktivist operation IT Army has taken responsibility for a significant distributed denial-of-service attack against Russian local airline booking system Leonardo, which is used by over 50 Russian carriers, according to The Record, a news site by cybersecurity firm Recorded Future.
New attacks with the updated SysUpdate toolkit have been deployed by Chinese advanced persistent threat operation Budworm, also known as APT27, Emissary Panda, Bronze Union, Lucky Mouse, Iron Tiger, and Red Phoenix, against an Asian government and a Middle East-based telecommunications provider, reports The Hacker News.
Forty-five malicious NPM and PyPI packages have been deployed by threat actors to facilitate extensive data theft operations as part of a campaign that commenced on Sept. 12, according to BleepingComputer.