Security
Headlines
HeadlinesLatestCVEs

Headline

New Hacker Group Pursuing Corporate Employees Focused on Mergers and Acquisitions

A newly discovered suspected espionage threat actor has been targeting employees focusing on mergers and acquisitions as well as large corporate transactions to facilitate bulk email collection from victim environments. Mandiant is tracking the activity cluster under the uncategorized moniker UNC3524, citing a lack of evidence linking it to an existing group. However, some of the intrusions are

The Hacker News
#web#git#intel#backdoor#botnet#The Hacker News

A newly discovered suspected espionage threat actor has been targeting employees focusing on mergers and acquisitions as well as large corporate transactions to facilitate bulk email collection from victim environments.

Mandiant is tracking the activity cluster under the uncategorized moniker UNC3524, citing a lack of evidence linking it to an existing group. However, some of the intrusions are said to mirror techniques used by different Russia-based hacking crews like APT28 and APT29.

“The high level of operational security, low malware footprint, adept evasive skills, and a large Internet of Things (IoT) device botnet set this group apart and emphasize the ‘advanced’ in Advanced Persistent Threat,” the threat intelligence firm said in a Monday report.

The initial access route is unknown but upon gaining a foothold, attack chains involving UNC3524 culminate in the deployment of a novel backdoor called QUIETEXIT for persistent remote access for as long as 18 months without getting detected in some cases.

What’s more, the command-and-control domains — a botnet of internet-exposed IP camera devices, likely with default credentials — are designed to blend in with legitimate traffic originating from the infected endpoints, suggesting attempts on the part of the threat actor to stay under the radar.

“UNC3524 also takes persistence seriously,” Mandiant researchers pointed out. “Each time a victim environment removed their access, the group wasted no time re-compromising the environment with a variety of mechanisms, immediately restarting their data theft campaign.”

Also installed by the threat actor is a secondary implant, a web shell, as a means of alternate access should QUIETEXIT stop functioning and for propagating the primary backdoor on another system in the network.

The information-gathering mission, in its final stage, entails obtaining privileged credentials to the victim’s mail environment, using it to target the mailboxes of executive teams that work in corporate development.

“UNC3524 targets opaque network appliances because they are often the most unsecure and unmonitored systems in a victim environment,” Mandiant said. “Organizations should take steps to inventory their devices that are on the network and do not support monitoring tools.”

Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.

Related news

Chinese Hackers Caught Exploiting Popular Antivirus Products to Target Telecom Sector

A Chinese-aligned cyberespionage group has been observed striking the telecommunication sector in Central Asia with versions of malware such as ShadowPad and PlugX. Cybersecurity firm SentinelOne tied the intrusions to an actor it tracks under the name "Moshen Dragon," with tactical overlaps between the collective and another threat group referred to as Nomad Panda (aka RedFoxtrot). "PlugX and

Chinese "Override Panda" Hackers Resurface With New Espionage Attacks

A Chinese state-sponsored espionage group known as Override Panda has resurfaced in recent weeks with a new phishing attack with the goal of stealing sensitive information. "The Chinese APT used a spear-phishing email to deliver a beacon of a Red Team framework known as 'Viper,'" Cluster25 said in a report published last week. "The target of this attack is currently unknown but with high