A new APT group, tracked as ToddyCat, to a series of attacks targeting entities ...
Researchers linked a new APT group, tracked as ToddyCat, to a series of attacks targeting entities in Europe and Asia since at least December 2020.
Researchers from Kaspersky have linked a new APT group, tracked as ToddyCat, to a series of attacks aimed at high-profile entities in Europe and Asia since at least December 2020.
The threat actors initially launched a cyber espionage campaign against entities in Taiwan and Vietnam, the APT was observed targeting Microsoft Exchange servers with a zero-day exploit.
The attackers leveraged the exploit to establish the China Chopper web shell on the target systems, a malicious code commonly used by China-linked threat actors. This tool allows threat actors to install a PHP, ASP, ASPX, JSP, and CFM webshells (backdoor) on publicly exposed web servers. Once the China Chopper Web Shell is installed, the attackers gain full access to a remote server through the exposed website. ToddyCat used the web shell to start the multi-stage attack chain that involved, the Samurai backdoor, and the ‘Ninja
According to security researchers, LuckyMouse, Tick, Winnti Group, and Calypso, among others, are likely exploiting new Microsoft Exchange vulnerabilities to hack email servers worldwide.
Microsoft published out-of-band updates for Microsoft Exchange Server 2013, 2016, and 2019 on March 3, 2021. These security upgrades addressed a pre-authentication remote code execution (RCE) vulnerability chain (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) that enables an attacker to gain control of any available Exchange server, even without valid account credentials. As of the time of writing, we have already discovered webshells on more than 5,000 email servers. According to public sources, several prominent institutions, like the European Banking Authority, were affected by this attack.
Orange Tsai, a renowned vulnerability researcher, found and submitted these vulnerabilities to Microsoft on 2021-01-05. Nevertheless, a Volexity blog post indicates that in-wild exploitation began on January 3, 2021. Consequently, assuming these dates are accurate, the vulnerabilities were either identified independently by two separate vulnerability research teams, or information about the vulnerabilities was gained by a malevolent organization. Microsoft also published a blog post regarding Hafnium's early activity.
On February 28, 2021, we discovered that other threat actors had exploited the vulnerabilities, first with Tick and rapidly followed by LuckyMouse, Calypso, and the Winnti Group. This shows that several threat actors had access to the specifics of the vulnerabilities prior to the introduction of the patch, ruling out the notion that they reverse-engineered Microsoft patches to create an attack.
The day after the patch was released, we began to observe an increase in the number of threat actors (including Tonto Team and Mikroceen) scanning and hacking Exchange systems en masse. Intriguingly, they are all APT groups focused in espionage, with the exception of DLTMiner, which is associated with a well-known cryptomining campaign.