Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

5/7/2019
08:00 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Russian Nation-State Group Employs Custom Backdoor for Microsoft Exchange Server

Turla hacking team abuses a legitimate feature of the Exchange server in order to hide out and access all of the target organization's messages.

A well-known Russian nation-state hacking group has been infiltrating the Microsoft Exchange email servers of its targeted victims since at least 2014 via a custom backdoor. 

Researchers at ESET say the so-called Turla group, aka Snake, has been hacking into victims' Microsoft Exchange servers and planting its sophisticated LightNeuron backdoor malware for cyber espionage purposes. Turla accesses the email systems by abusing Exchange Server's legitimate Transport Agent feature, which lets other software from Microsoft as well as third parties operate with Exchange, including spam-filtering tools. The feature lets these other applications process email messages coming and going from Exchange.

The LightNeuron backdoor for Exchange specifically allows Turla attackers to read and modify email messages, create and send their own messages, and block messages to users at the victim organization, ESET said in new research it revealed today. Turla previously had been seen targeting Outlook email clients, an attack method ESET detailed last August.

Matthieu Faou, a malware researcher with ESET, says he believes this is the first case of malware specifically targeting Exchange servers. "It's really similar to the Outlook backdoor, but it has access to all emails of the [victim] organization. It's focused on the main email server," he says.

And by employing Exchange's Transport Agent, the attackers can blend into the email environment. "This feature is something generally used by security products, such as anti-spam, to integrate into Microsoft Exchange," Faou says.

Turla's LightNeuron backdoor also operates a rare command-and-control method that uses email JPEG and PDF attachments to transport the commands - hidden within the attachments using steganography. "The attacker sends an email with the JPEG and PDF, and the content is decoded and decrypted by LightNeuron on the main Exchange server," Faou explains.

ESET found three victims of the LightNeuron attacks: a ministry of foreign affairs in Eastern Europe, a diplomatic organization in the Middle East, and an unidentified organization in Brazil. The Brazilian victim was discovered via a sample uploaded to VirusTotal, according to ESET's new report on the newly found Turla operation.

The victims were "the regular, usual targets" of Turla - diplomatic entities, Faou says.

LightNeuron uses a PowerShell script, called msinp.ps1, to install LightNeuron, and a remote administration tool, called IntelliAdmin, both of which were discovered on victim machines, according to ESET.

Security researchers at Kaspersky Lab have seen similar Exchange Server attacks and steganography-masked C2 activity by Turla, according to Kurt Baumgartner, a security researcher with Kaspersky. "They are active," he says, noting that Kaspersky Lab has previously written about the latest twist in Turla attacks in private reports to clients. "Their technical capabilities are impressive and they are really well-resourced ... They are a top-tier APT." 

No Patch
And like other so-called "living-off-the-land"-style attacks that abuse legitimate tools and software in a victim organization, there's no software patch to prevent a LightNeuron backdoor attack. ESET's Faou Microsoft could add some measures, such as enforcing a digital signature from a Transport Agent, for example, to ensure its legitimacy. But if an attacker steals the Exchange server's admin privileges, there's not much even more layers of security for Exchange can do, he says.

"It's not really a vulnerability. They are using legitimate functionality [of Exchange]," he says.

Microsoft was not available for comment at the time of this posting.

If an organization gets hit with Turla's LightNeuron, recovery is complicated. "Simply removing the two malicious files will break Microsoft Exchange, preventing everybody in the organization from sending and receiving emails. Before actually removing the files, the malicious Transport Agent should be disabled," ESET warned in its report on the attacks.

The problem, Faou says, is that Transport Agent is registered in the configuration of the server, so even if LightNeuron gets removed, Exchange will try to load it. "If it's unable to load the Transport Agent, it will totally break the main server so you cannot send or receive emails anymore," he says. "You need to administer Transport Agent properly before removing the files." ESET details the proper removal process in a whitepaper it also published today.

Turla attackers first must steal credentials to the Exchange Server to install LightNeuron. So enabling multifactor authentication among user accounts can help thwart the attack. In addition, ESET recommends monitoring the main Exchange Server, including installing endpoint detection and response (EDR) tools or other security monitoring.

The bottom line is many organizations typically don't monitor when a new Transport Agent gets installed on the Exchange Server. "That's the main problem. It's a feature that's not very well-known," Faou says.

Meanwhile, ESET said code snippets of the Windows version of LightNeuron indicate that Turla also created a Linux variant of the backdoor.

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
phillysteak
50%
50%
phillysteak,
User Rank: Apprentice
5/8/2019 | 3:10:26 PM
Did ESET share additional IOCs?
So I looked over the IntelliAdmin documentation, and it listens on default ports 2792 and 5900 per their official documentation, however the connection port can be changed. Did ESET share whether the standard IntelliAdmin ports were used for this Attack or if specific non-default connection ports were used, or if attackers kept changing the connection ports? That would be insightful intel as it could assist in identifying part of this attack through legitimate network communication channels.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15208
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
CVE-2020-15209
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
CVE-2020-15210
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
CVE-2020-15211
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
CVE-2020-15212
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...