Corporate networks are being infiltrated by the novel advanced persistent threat group UNC3524 to exfiltrate Microsoft Exchange emails from employees, reports BleepingComputer.
UNC3524 also has the capability to maintain over 18 months of access to some compromised environments through the deployment of the recently discovered QUIETEXIT backdoor on network appliances without malware detection and security monitoring support, as well as the reGeorg web shell on DMZ web servers, according to a report from Mandiant.
"Once UNC3524 successfully obtained privileged credentials to the victim's mail environment, they began making Exchange Web Services (EWS) API requests to either the on-premises Microsoft Exchange or Microsoft 365 Exchange Online environment. In each of the UNC3524 victim environments, the threat actor would target a subset of mailboxes, focusing their attention on executive teams and employees that work in corporate development, mergers and acquisitions, or IT security staff," said researchers.
While UNC3524 has been leveraging tactics previously used by Russian state-sponsored threat groups, Mandiant has not conclusively attributed its activity to such threat actors.
Cybercrime operation Gold Melody, also known as UNC961 and Prophet Spider, has been discovered by SecureWorks Counter Threat Unit researchers to be an initial access broker peddling compromised network access for further attacks, according to The Hacker News.