According to Security Affairs, “Mandiant researchers discovered a new APT group, tracked as UNC3524, that heavily targets the emails of employees that focus on corporate development, mergers and acquisitions, and large corporate transactions. Once gained initial access to the target systems, UNC3524 deployed a previously unknown backdoor tracked by Mandiant researchers as QUIETEXIT. The QUIETEXIT backdoor borrows the code from the open-source Dropbear SSH client-server software. The threat actors deployed QUIETEXIT on network appliances within the target network, including load balancers and wireless access point controllers.”
IP cameras often use older versions of BSD or CentOS. Mandiant points out that creating malware to attack these would require “considerable planning.” (These systems are not typically protected by security solutions, which allowed the attackers to remain undetected for up to 18 months.)
During the campaign, the threat actors were able to use the IP cameras to re-access victim networks after being removed. They used the access to steal the information from victim networks. While full attribution was not given, Mandiant observed many of the TTPs overlapping with Russian APT groups, specifically APT28 and APT29.
This example highlights the many dangers of IoT devices. Threat actors can use vulnerable IP cameras, threat actors were able to maintain persistent access on victim networks for up to 18 months. In this case, the IoT cameras were not monitored by security tools, so threat actors were able to create a backdoor into victim networks.
Mitigation
Review the Mandiant report, where they have provided various tactics, techniques and procedures (TTPs) as well as indicators of compromise (IoCs). Examine these TTPs and IoCs and ensure you are not using vulnerable devices.
Be on the look out for these Indicators of Compromise:
- cloudns[.]asia
- dynu[.]net
- mywire[.]org
- webredirect[.]org
- ba22992ce835dadcd06bff4ab7b162f9 - MD5
- 3d4dcc859c6ca7e5b36483ad84c9ceef34973f9a - SHA1
- 7b5e3c1c06d82b3e7309C258dfbd4bfcd476c8ffcb4cebda76146145502a5997 - SHA256