Command-and-control (C&C) channels were established on November 12, when the attacker also began collecting and exfiltrating data.To avoid raising suspicion, they used Dropbox and OneDrive to exfiltrate files, transferring only small batches at a time.“The cumulative effect over the five months observed is a complete, near-continuous theft of the user’s Outlook mailbox, broken into incremental archives small enough not to draw attention from security software,” the researchers explained.The attacker continuously worked on persistence, regularly re-registering tasks disguised as Adobe, Lenovo, and OneDrive system services to maintain access.Symantec and Carbon Black madeindicators of compromise (IoCs)available to help other organizations detect potential attacks.Related:US Disrupts Russian Espionage Operation Involving Hacked Routers and DNS HijackingRelated:Sophisticated Deep#Door Backdoor Enables Espionage, DisruptionRelated:US Disrupts Russian Espionage Operation Involving Hacked Routers and DNS Hijacking
To avoid raising suspicion, they used Dropbox and OneDrive to exfiltrate files, transferring only small batches at a time.“The cumulative effect over the five months observed is a complete, near-continuous theft of the user’s Outlook mailbox, broken into incremental archives small enough not to draw attention from security software,” the researchers explained.The attacker continuously worked on persistence, regularly re-registering tasks disguised as Adobe, Lenovo, and OneDrive system services to maintain access.Symantec and Carbon Black madeindicators of compromise (IoCs)available to help other organizations detect potential attacks.Related:US Disrupts Russian Espionage Operation Involving Hacked Routers and DNS HijackingRelated:Sophisticated Deep#Door Backdoor Enables Espionage, DisruptionRelated:US Disrupts Russian Espionage Operation Involving Hacked Routers and DNS Hijacking
“The cumulative effect over the five months observed is a complete, near-continuous theft of the user’s Outlook mailbox, broken into incremental archives small enough not to draw attention from security software,” the researchers explained.The attacker continuously worked on persistence, regularly re-registering tasks disguised as Adobe, Lenovo, and OneDrive system services to maintain access.Symantec and Carbon Black madeindicators of compromise (IoCs)available to help other organizations detect potential attacks.Related:US Disrupts Russian Espionage Operation Involving Hacked Routers and DNS HijackingRelated:Sophisticated Deep#Door Backdoor Enables Espionage, DisruptionRelated:US Disrupts Russian Espionage Operation Involving Hacked Routers and DNS Hijacking
The attacker continuously worked on persistence, regularly re-registering tasks disguised as Adobe, Lenovo, and OneDrive system services to maintain access.Symantec and Carbon Black madeindicators of compromise (IoCs)available to help other organizations detect potential attacks.Related:US Disrupts Russian Espionage Operation Involving Hacked Routers and DNS HijackingRelated:Sophisticated Deep#Door Backdoor Enables Espionage, DisruptionRelated:US Disrupts Russian Espionage Operation Involving Hacked Routers and DNS Hijacking
Symantec and Carbon Black madeindicators of compromise (IoCs)available to help other organizations detect potential attacks.Related:US Disrupts Russian Espionage Operation Involving Hacked Routers and DNS HijackingRelated:Sophisticated Deep#Door Backdoor Enables Espionage, DisruptionRelated:US Disrupts Russian Espionage Operation Involving Hacked Routers and DNS Hijacking
Related:US Disrupts Russian Espionage Operation Involving Hacked Routers and DNS HijackingRelated:Sophisticated Deep#Door Backdoor Enables Espionage, DisruptionRelated:US Disrupts Russian Espionage Operation Involving Hacked Routers and DNS Hijacking
Related:Sophisticated Deep#Door Backdoor Enables Espionage, DisruptionRelated:US Disrupts Russian Espionage Operation Involving Hacked Routers and DNS Hijacking
Related:US Disrupts Russian Espionage Operation Involving Hacked Routers and DNS Hijacking
Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
Organizations are investing heavily in third-party risk management, but breaches, delays, and blind spots continue to persist. Join this live webinar as we examine the gap between how organizations think their third-party risk programs are performing and what’s actually happening in practice.
Source: SecurityWeek
