Getty Images/iStockphoto
Cyberespionage group exploiting network and IoT blind spots
Researchers with Mandiant have uncovered a new espionage-focused hacking operation that takes advantage of IoT and networking gear that security tools don't cover.
A newly uncovered cyberespionage operation is taking advantage of exposed systems that most antimalware and threat detection tools can't protect.
The research team at Mandiant discovered a hacking crew, designated UNC3524, that appears to be acting on behalf of espionage interests by infiltrating networks and eavesdropping on email communications for an extended period of time.
"The high level of operational security, low malware footprint, adept evasive skills, and a large Internet of Things (IoT) device botnet set this group apart and emphasize the 'advanced' in Advanced Persistent Threat," Mandiant researchers wrote in a blog post Monday.
"UNC3524 also takes persistence seriously. Each time a victim environment removed their access, the group wasted no time re-compromising the environment with a variety of mechanisms, immediately restarting their data theft campaign."
What makes the hackers unique, Mandiant said, is the specific devices that they target to gain a foothold on networks. In particular, the crew likes to exploit exposed IoT devices such as webcams and network appliances like SAN arrays and load balancers.
"The threat actor evaded detection by operating from devices in the victim environment's blind spots, including servers running uncommon versions of Linux and network appliances running opaque OSes," the blog post said. "These devices and appliances were running versions of operating systems that were unsupported by agent-based security tools, and often had an expected level of network traffic that allowed the attackers to blend in."
Unlike servers and PCs that are constantly monitored by security tools such as antimalware software and endpoint detection and response products, some IoT devices and network appliances are not carefully monitored. What's worse, many of the devices operate on old and obscure Linux builds or proprietary closed-source operating systems that are difficult to patch and maintain.
UNC3524 seized on this blind spot to use the devices as a base of operations. Once compromised, the exposed system would be used to move laterally on the network to other servers and PCs via hard-to-detect tunneled connections with the end goal being the collection of account credentials for email services, both on-premises and cloud-based.
"The threat actor's use of the QUIETEXIT tunneler allowed them to largely live off the land, without the need to bring in additional tools, further reducing the opportunity for detection," noted the Mandiant team. "This allowed UNC3524 to remain undetected in victim environments for, in some cases, upwards of 18 months."
The blog post noted UNC3524 also used vulnerable conference room cameras, primarily from LifeSize Inc., to create an IoT botnet that served as the backbone of the QuietExit backdoor. Mandiant researchers speculated that the cameras were directly exposed to the internet and most likely compromised through default credentials.
The email accounts were then tapped to collect information on major corporate mergers or financial reports. Mandiant noted that while that sort of inside information would seem to be more indicative of a financial hacking scheme, the extended amount of time the attackers spent on victims' networks makes it more likely that the operation has the backing of a government intelligence agency.
While Mandiant researchers noted similarities in techniques between UNC3524 and multiple known Russian cyberespionage groups, they could not definitively connect the threat actor to any of those groups.
Because the hackers placed their attention on devices that many antimalware and monitoring tools do not cover, Mandiant recommended that administrators instead rely on their logs to spot unusual activity. Additionally, admins can look to tag SSH traffic that does not use the standard port 22.
"This traffic should be relatively small, and any findings should be investigated," the researchers explained. "Organizations can also look for outbound SSH traffic originating from IP addresses that are unknown or not in asset management systems."