The ToddyCat APT group hacked MS Exchange Servers

June 28, 2022
ToddyCat APT Hacker Group MS Exchange Servers Vulnerability Abuse

The ToddyCat advanced persistent threat (APT) group is reported to target the MS Exchange servers of several organisations based in Europe and Asia. The campaign has been in operation for at least a couple of years, allowing researchers to dissect the campaign.

The APT group has upgraded their attacks and is now scanning for flawed MS Exchange servers such as the ProxyLogon vulnerability (CVE-2021-26855). Once the threat actors find an unpatched server, they will use the ProxyLogon vulnerability to initiate their attacks.

In addition, researchers discovered a new Ninja trojan and a passive backdoor called Samurai while tracking the ToddyCat’s activity. A couple of payloads found while analysing the group’s activity were taking over the compromised systems and navigating laterally across the networks.

Few of the organisations the APT group infected in three separate countries were breached at approximately the same time by the Chinese-sponsored threat groups that employed the FunnyDream backdoor.

The targeted victims are high-class and well-known entities owned by the government and military sectors. The APT group also appears serious about achieving essential objectives related to politics and other interests.

The first surge of the attacks commenced in December two years ago and halted in February last year. By that period, the APT group was exclusively targeting a minimal number of government entities in Taiwan and Vietnam.

However, the next surge of threat campaigns was seen by researchers between February and May last year. The continuation of the attack has started targeting organisations from several notable countries, such as the United Kingdom, India, Iran, and Russia.

 

The ToddyCat group added a few more countries to target.

 

They then targeted the same cluster of nations but added more organisations from Indonesia, Uzbekistan, and Kyrgyzstan in the next phase of their campaign. The attack lasted for about a year and will likely continue if the authorities do not yet address them.

The ToddyCat APT group has shown more interest in military sectors and governmental entities. That is why researchers know this operation could continue for an extensive period. Therefore, organisations should have a threat intelligence service to stay updated on new threats and secure their networks ahead of time.

About the author