Wednesday, May 31, 2023
  • Events
  • Interviews
  • Jobs
  • Opinion
  • Whitepapers
  • Podcasts
  • Web Hosting Directory
  • Login
  • Register
Cloud7
  • Cloud Computing
  • Web Hosting
  • Data Center
  • Linux
  • Cybersecurity
  • More
    • Software
    • Network/Internet
    • Hardware
    • Artificial Intelligence
    • Windows
    • Policy/Legislation
    • Blockchain
    • Troubleshooting
    • How-Tos
    • Articles
No Result
View All Result
Cloud7
  • Cloud Computing
  • Web Hosting
  • Data Center
  • Linux
  • Cybersecurity
  • More
    • Software
    • Network/Internet
    • Hardware
    • Artificial Intelligence
    • Windows
    • Policy/Legislation
    • Blockchain
    • Troubleshooting
    • How-Tos
    • Articles
No Result
View All Result
Cloud7
No Result
View All Result

Home > Cybersecurity > ToddyCat targeting vulnerable Microsoft Exchange servers

ToddyCat targeting vulnerable Microsoft Exchange servers

Multiple cyber security firms confirmed that advanced persistent threat actors are attacking government and military entities.


Erdem Yasar Erdem Yasar
June 22, 2022
4 min read

The advanced persistent threat actor ToddyCay is still targeting Microsoft Exchange servers for over a year now, according to various cyber security firms. The pre-authentication remote code execution vulnerability chain tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, was patched by Microsoft in March of 2021. The vulnerability allowed attackers to take over Exchange servers without even known account credentials. Shortly after the patches were released, threat actors started scanning servers en masse.

Government and military entities

Kaspersky published a post about the threat actor and stated that the first wave of attacks exclusively targeted Microsoft Exchange Servers, which were compromised with Samurai backdoor, that usually works on ports 80 and 443. Since its first appearance, ToddyCat has continued its intense activity, especially in Asia. Kaspersky also stated that they discovered many other variants in Asia. Kaspersky also discovered other waves of attacks against infected desktop machines by sending the malicious loaders via Telegram. Kaspersky said,

« ToddyCat is a sophisticated APT group that uses multiple techniques to avoid detection and thereby keeps a low profile. During our investigations we discovered dozens of samples, but despite the number of files and the duration of their activities, we were unable to attribute the attacks to a known group; and there is also quite a bit of technical information about the operations that we don’t have. »

The research showed that the hacker group is targeting high-profile organizations, such as government and military entities and military contractors. ESET stated that they have identified more than 10 different threat actors targeting the vulnerability. They also found webshells in Offline Address Book configuration files. Some threat actors might have hijacked the webshells dropped by other groups. Some of the attacks ESET discovered are:

  • On 2021-02-28, Tick (also known as Bronze Butler) compromised the webserver of a company based in East Asia that provides IT services.
  • On 2021-03-01, LuckyMouse compromised the email server of a governmental entity in the Middle East, which means this APT group likely had access to the exploit at least one day before the patch release, when it was still a zero-day.
  • On 2021-03-01, Calypso compromised the email servers of governmental entities in the Middle East and in South America, which means the group likely had access to the exploit as a zero-day
  • Starting 2021-03-01, ESET researchers observed a new cluster of activity we have named Websiic, targeting seven email servers belonging to private companies in Asia and a governmental body in Eastern Europe.
  • Starting 2021-03-02, a few hours before Microsoft released the patch, the Winnti Group (also known as BARIUM or APT41) compromised the email servers of an oil company and a construction equipment company both based in East Asia.
  • On 2021-03-03, Tonto Team (also known as CactusPete) compromised the email servers of a procurement company and of a consulting company specialized in software development and cybersecurity, both based in Eastern Europe.
  • Starting 2021-03-03, we observed the compromise of email servers at a software development company based in East Asia and a real estate company based in the Middle East where ShadowPad was dropped by the attacker.
  • On 2021-03-03 at 04:23 AM UTC, just a few hours after the patch was released, we noticed that another set of malicious activities had started.
  • Starting 2021-03-03, we observed that on four email servers located in Asia and South America, webshells were used to install so-called IIS backdoors.
  • On 2021-03-04, the Mikroceen APT group compromised the Exchange server of a utility company in Central Asia, which is the region it mainly targets.
  • Starting 2021-03-05 at 02:53 AM UTC, we detected the deployment of PowerShell downloaders on multiple email servers that were previously targeted using these Exchange vulnerabilities.

ESET also said,

« Our ongoing research shows that not only Hafnium has been using the recent RCE vulnerability in Exchange, but that multiple APTs have access to the exploit, and some even did so prior to the patch release. It is still unclear how the distribution of the exploit happened, but it is inevitable that more and more threat actors, including ransomware operators, will have access to it sooner or later.

It is now clearly beyond prime time to patch all Exchange servers as soon as possible. Even those not directly exposed to the internet should be patched because an attacker with low, or unprivileged, access to your LAN can trivially exploit these vulnerabilities to raise their privileges while compromising an internal (and probably more sensitive) Exchange server, and then move laterally from it. »

See more Cybersecurity News

A comprehensive guide to understanding Cybersecurity: What is Cybersecurity?


Tags: ESETKasperskyMicrosoft
Erdem Yasar

Erdem Yasar

Erdem Yasar is a news editor at Cloud7. Erdem started his career by writing video game reviews in 2007 for PC World magazine while he was studying computer engineering. In the following years, he focused on software development with various programming languages. After his graduation, he continued to work as an editor for several major tech-related websites and magazines. During the 2010s, Erdem Yasar shifted his focus to cloud computing, hosting, and data centers as they were becoming more popular topics in the tech industry. Erdem Yasar also worked with various industry-leading tech companies as a content creator by writing blog posts and other articles. Prior to his role at Cloud7, Erdem was the managing editor of T3 Magazine.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

I agree to the Terms & Conditions and Privacy Policy.

Next Post
iXsystems introduces second major update of TrueNAS SCALE

iXsystems introduces second major update of TrueNAS SCALE

Related News

ChatGPT brings concerns about cybersecurity and search engine rankings

ChatGPT brings concerns about cybersecurity and search engine rankings

May 5, 2023 6:00 pm
Ransomware: Paying the price twice

Ransomware: Paying the price twice

May 5, 2023 4:00 pm
CISA adds 3 more vulnerabilities to its catalogue

CISA adds 3 more vulnerabilities to its catalogue

May 2, 2023 4:20 pm
FIN7 attacks vulnerable Veeam servers

FIN7 attacks vulnerable Veeam servers

May 1, 2023 5:31 pm
Get free daily newsletters from Cloud7 Get the Cloud7 Newsletter
Select list(s):

Check your inbox or spam folder to confirm your subscription.

By subscribing, you agree to our
Copyright Policy and Privacy Policy

Editor's Choice

10 best web hosting services

7 best shared hosting service providers

7 best Linux distros for beginners

7 best Linux distros for gaming

7 best cloud storage services for business

7 best Linux desktop environments

Farewell and gratitude: The journey ends for Cloud7

Get the free newsletter

Subscribe to receive the latest IT business updates straight to your inbox.

Select list(s):

Check your inbox or spam folder to confirm your subscription.

Recent News

  • Farewell and gratitude: The journey ends for Cloud7
  • Gcore Partners with Pienso
  • LibreOffice 7.4.7 is now available for download
  • AI-powered automatic time tracking (Podcast #20 w/ Catalina Butnaru)
  • Best file managers for Linux
  • EuroLinux 9.2 is now available for download
  • X3D, or not X3D, that is the question

Cloud7 News
Cloud7 is a news source that publishes the latest news, reviews, comparisons, opinions, and exclusive interviews to help tech users of high-experience levels in the IT industry.

EXPLORE

  • Web Hosting
  • Cloud Computing
  • Data Center
  • Cybersecurity
  • Linux
  • Network/Internet
  • Software
  • Hardware
  • Artificial Intelligence
  • How-Tos
  • Troubleshooting

RESOURCES

  • Events
  • Interviews
  • Jobs
  • Opinion
  • Whitepapers
  • Podcasts
  • Web Hosting Directory

Get the Cloud7 Newsletter

Get FREE daily newsletters from Cloud7 delivering the latest news and reviews.

  • About Us
  • Privacy & Policy
  • Copyright Policy
  • Contact Us

© 2023, Cloud7. All rights reserved.

No Result
View All Result
  • Cloud Computing
  • Web Hosting
  • Data Center
  • Linux
  • Cybersecurity
  • More
    • Software
    • Network/Internet
    • Hardware
    • Artificial Intelligence
    • Windows
    • Policy/Legislation
    • Blockchain
    • Troubleshooting
    • How-Tos
    • Articles
  • Events
  • Interviews
  • Jobs
  • Opinion
  • Whitepapers
  • Podcasts
  • Web Hosting Directory

© 2023, Cloud7. All rights reserved.

Welcome Back!

Sign In with Facebook
Sign In with Google
Sign In with Linked In
OR

Login to your account below

Forgotten Password? Sign Up

Create New Account!

Sign Up with Facebook
Sign Up with Google
Sign Up with Linked In
OR

Fill the forms below to register

*By registering into our website, you agree to the Terms & Conditions and Privacy Policy.
All fields are required. Log In

Retrieve your password

Please enter your username or email address to reset your password.

Log In

Add New Playlist

This website uses cookies. By continuing to use this website you are giving consent to cookies being used. Visit our Privacy and Cookie Policy.