Microsoft Exchange servers attacked with IceApple exploit toolset

BleepingComputer reports that threat actors have been deploying the "highly sophisticated" IceApple post-exploitation framework on Microsoft Exchange Servers. Internet Information Services web applications could also be targeted by IceApple, which features 18 or more dedicated modules for device identification, file deletion, and credential exfiltration, according to a report from CrowdStrike's OverWatch team. Attackers behind IceApple were found to have extensive knowledge regarding IIS software based on examined modules and have been suspected by researchers to be sympathetic to China. Further examination of IceApple's modules revealed that the framework bypasses detection through in-memory operation of modules, as well as the creation of assembly files seemingly produced by the IIS web server. "At first glance they appear to be expected IIS temporary files generated as part of the process of converting ASPX source files into .NET assemblies for IIS to load," researchers added. Organizations have been urged by CrowdStrike to promptly apply the newest web application patches to defend against IceApple.