‘DeadRinger’ Targeted Exchange Servers Long Before Discovery

[silversurfer]

Threat actors linked to China exploited the notorious Microsoft Exchange ProxyLogon vulnerabilities long before they were publicly disclosed, in attacks against telecommunications companies aimed at stealing sensitive customer data and maintaining network persistence, researchers have found.
 
Researchers from Cybereason have been tracking multiple cyberespionage campaigns – collectively dubbed “DeadRinger” – since 2017, reporting initially on findings that a Chinese threat group dubbed SoftCell was targeting billing servers to steal call records from telecoms in Africa, the Middle East, Europe and Asia in 2019.
 
A report released Tuesday builds upon this research, identifying two new threat groups – Naikon APT and Group-3390 – that also appear to be working for China’s regime to compromise billing servers to steal telco call records as well as maintain persistent access to their networks through other core components, according to the report.
 
The report also discloses that SoftCell targeted a set of Microsoft Exchange vulnerabilities collectively known as ProxyLogon “long before they became publicly known,” researchers wrote. These vulnerabilities spurred a frenzy of attacks earlier this year before Microsoft mitigations and patches began to take effect.
 
Indeed, threat actors used similar tactics to those exposed recently in the Hafnium zero-day attacks – which were recently blamed on China and condemned by the White House – that exploited ProxyLogon vulnerabilities in Microsoft Exchange Servers to gain access to the targeted networks, according to the report.
 
Overall, the attacks show an aggressive assault by China on the security of critical infrastructure that – similarly to the SolarWinds and Kaseya attacks – compromise third-party service providers to ultimately attack their customers while undermining those trust relationships and causing other collateral damage, Cybereason CEO and co-founder Lior Div said.
 
“These state-sponsored espionage operations not only negatively impact the telecoms’ customers and business partners, they also have the potential to threaten the national security of countries in the region and those who have a vested interest in the region’s stability,” he said in a press statement.

Read more: ‘DeadRinger’ Targeted Exchange Servers Long Before Discovery | Threatpost