Espionage comes in many forms, for advanced persistent threat (APT) “UNC3524” as dubbed by security company Mandiant, the objective is to collect emails dealing with corporate development, mergers & acquisitions, and corporate transactions. “UNC3524” was first discovered in December 2019 and has been tracked since then. The group’s corporate targets and interest in M&A plans point to financial motivation, however, the group’s ability to linger in a target environment while collecting emails, supports intelligence gathering objectives. Reports show that the group has been able to operate undetected in victim environments for over 18 months.
Researchers credit the group’s success at achieving such a long dwell time to its use of a novel backdoor, “QuietExit” which is deployed on network appliances that do not support antivirus or endpoint detection, such as storage arrays, load balancers and wireless access point controllers. These devices often run older versions of BSD or CentOS and would require considerable planning to compile functional malware for them. The experts pointed out that these systems are not protected by security solutions.
QuietExit is built on the open-source Dropbear SSH client-server software. QuietExit’s backdoor command-and-control servers are part of a botnet built by compromising D-Link and LifeSize conference room camera systems. Researchers speculate that access to the cameras can be attributed to use of default credentials rather than exploiting vulnerabilities. The high level of operational security, low malware footprint, adept evasive skills, and a large Internet of Things device botnet set this group apart and emphasize the ‘advanced’ in advanced persistent threat.
If UNC3524’s access was removed from a victim’s environment, the threat actor quickly regained access to the environment, immediately restarting their data theft campaign. The malware can be configured to connect to a hard-coded C2 server, and if the connection fails a backup C2 server connection can be attempted. Research shows that UNC3524 has also installed a secondary backdoor as a means of alternate access. This secondary backdoor is created by deploying the reGeorg web shell on DMZ web servers to create a SOCKS proxy. The primary use of the secondary backdoor is to re-establish QuietExit connections. While, reGeorg is publicly known, UNC3524 uses a heavily obfuscated version to bypass signature-based detection used to identify reGeorg.
In addition to focusing on corporate development and mergers & acquisitions the threat actor focuses on IT security staff as a means to determine if their operation had been detected.
Researchers have noted overlapping techniques between UNC3524 and known Russian cyber-espionage groups, including APT28 (“Fancy Bear”) and APT29 (“Cozy Bear”), the researchers stated that they could not definitively connect the threat actor to any of those groups. UNC3524’s use of compromised devices often target the most insecure and unmonitored in a victim environment, and administrators should rely on their logs to spot unusual activity. UNC3524 has been observed hijacking applications and enabling the backdoor to execute on system startup. The threat actor takes great care to remain undetected by renaming files to match the target directory and using timestomping to ensure that the timestamps of the reGeorg shell match up with the timestamps of other files in the directory.
Researchers have only observed APT29 performing SPN credential addition. This technique has been reported on publicly since early 2019. The NSA has previously reported automated password spraying using Kubernetes, Exchange Exploitation, and reGeorg as associated with APT28. While the activity reported by the NSA used TOR and commercial VPNs, UNC3524 primarily used compromised internet facing devices. One interesting aspect of UNC3524’s use of reGeorg was that it matched identically with the version publicly reported by the NSA as used by APT28.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs. com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings