An advanced persistent threat group based in China has been observed exploiting the vulnerabilities in the MS Exchange Servers. Since the start of the month, a huge increase has been spotted in the communications to the PlugX C2 infrastructure associated with this threat group.
What Transpired?
The APT group’s ongoing campaign has been linked with the exploitation of the recently disclosed Proxlogon vulnerability.
- On November 14, 2020 researchers first identified an IP 91[.]220[.]203[.]86 as a suspected PlugX C2
- Later, an increase in activity linked to this C2 server from victim IP addresses hosting Exchange services was also observed from March 1
- Not too long after that, the ProxyLogon vulnerabilities were disclosed, which targeted organizations included local and national governments, software, defense, finance, IT, legal, and manufacturing.
Findings
The involvement of the Calypso APT was discovered recently by researchers. They were observed to be targeting vulnerable Exchange servers to deploy web shells and eventually load the PlugX malware.
- The infrastructure overlapped with a cluster of PlugX C2 servers, according to the researchers.
- Some malware samples were identified which were already reported by a cybersecurity provider.
The ProxyLogon vulnerabilities have been heavily exploited by cybercriminals. Our internal experts suggest mitigation including – configuring IDS and IPS systems, installing Exchange server updates, and following industry guidance on hunting for web shells.
To read more, please check eScan Blog
