Microsoft Exchange servers in Europe and Asia have been attacked by the new ToddyCat advanced persistent threat group since December 2020, with the operation involving the spread of the Samurai backdoor and the novel Ninja Trojan, which have allowed system takeovers and lateral network movement, reports BleepingComputer
ToddyCat had begun leveraging ProxyLogon vulnerabilities
to facilitate China Chopper web shell deployment on unpatched Microsoft Exchange servers before targeting numerous European and Asian organizations with vulnerable servers beginning February 2021, with government and military organizations being most of the group's targets, according to a report from Kaspersky's Global Research & Analysis Team.
"We suspect that this group started exploiting the Microsoft Exchange vulnerability in December 2020, but unfortunately, we don't have sufficient information to confirm the hypothesis. In any case, it's worth noting that all the targeted machines infected between December and February were Microsoft Windows Exchange servers; the attackers compromised the servers with an unknown exploit, with the rest of the attack chain the same as that used in March," wrote researcher Giampaolo Dedola.
The report also noted overlaps between ToddyCat and other Chinese-speaking APTs, including one leveraging the FunnyDream backdoor but there has been no evidence suggesting direct interaction between the different malware families.