UNC3524 APT uses IP cameras to deploy backdoors and target Exchange

Pierluigi Paganini May 03, 2022

A new APT group, tracked as UNC3524, uses IP cameras to deploy backdoors and steal Microsoft Exchange emails.

Mandiant researchers discovered a new APT group, tracked as UNC3524, that heavily targets the emails of employees that focus on corporate development, mergers and acquisitions, and large corporate transactions. 

Once gained initial access to the target systems, UNC3524 deployed a previously unknown backdoor tracked by Mandiant researchers as QUIETEXIT. The QUIETEXIT backdoor borrows the code from the open-source Dropbear SSH client-server software. The threat actors deployed QUIETEXIT on network appliances within the target network, including load balancers and wireless access point controllers.

These devices often run older versions of BSD or CentOS and would require considerable planning to compile functional malware for them. The experts pointed out that these systems are not protected by security solutions, for this reason, the attackers remain undetected in victim environments for at least 18 months.

By targeting trusted systems within victim environments that do not support any type of security tooling, UNC3524 was able to remain undetected in victim environments for at least 18 months.

“UNC3524 also takes persistence seriously. Each time a victim environment removed their access, the group wasted no time re-compromising the environment with a variety of mechanisms, immediately restarting their data theft campaign. We are sharing the tools, tactics, and procedures used by UNC3524 to help organizations hunt for and protect against their operations.” reads the analysis published by Mandiant.

QUIETEXIT doesn’t support persistence mechanisms, the UNC3524 attackers install a run command (rc) as well as hijack legitimate application-specific startup scripts to execute the backdoor on system startup.

unc3524 IP cameras

In some cases, UNC3524 was observed deploying the reGeorg web shell on DMZ web servers to create a SOCKS proxy.

Experts pointed out that the UNC3524’s TTPs observed by Mandiant overlapped with ones associated with Russia-linked APT groups, including APT28 and APT29.

“Mandiant has only observed APT29 performing SPN credential addition; however, this technique has been reported on publicly since early 2019. The NSA has previously reported automated password spraying using Kubernetes, Exchange Exploitation, and REGEORG as associated with APT28. While the activity reported by the NSA used TOR and commercial VPNs, UNC3524 primarily used compromised internet facing devices.” concludes the analysis that also includes indicators of compromise (IoCs) and Yara rules. “One interesting aspect of UNC3524’s use of REGEORG was that it matched identically with the version publicly reported by the NSA as used by APT28. At the time of writing, Mandiant cannot conclusively link UNC3524 to an existing group currently tracked by Mandiant.”

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: 

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, UNC3524)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment