UNC3524

UNC3524, also known as Cranefly, is a newly identified threat actor suspected of espionage activities. This group primarily targets corporate emails, focusing on employees involved in corporate development, mergers and acquisitions, and large corporate transactions. UNC3524 has demonstrated serious commitment to maintaining its presence within compromised systems. The initial compromise method remains unknown; however, once access is gained, the group deploys a novel backdoor named QUIETEXIT, tracked by Mandiant. This backdoor is based on the open-source Dropbear SSH client-server software and supports full SSH functionality, which UNC3524 uses to establish a SOCKS tunnel into victim environments. The activities of UNC3524 have now been attributed to APT29. Interestingly, their use of the tool REGEORG matches identically with the version reported by the NSA as used by APT28. While APT28 utilized TOR and commercial VPNs, UNC3524 primarily exploits compromised internet-facing devices. They target opaque network appliances, often the most insecure and unmonitored systems within a victim's environment. This approach makes host-based hunting and detection extremely difficult, as UNC3524 can avoid detection by operating from compromised infrastructure connected directly to the public internet, such as IP cameras. Detection of UNC3524's activities is challenging due to their use of compromised appliances. It is believed that they exploit default credentials rather than using an exploit to compromise these devices, forming an IoT botnet. Once authenticated to the exchange infrastructure, UNC3524 extracts mail items from targeted mailboxes through EWS API requests. In each victim environment, they focus on a subset of mailboxes, particularly those belonging to executive teams, corporate development, mergers and acquisitions staff, or IT security personnel. For effective detection methods and configuration recommendations, refer to Mandiant's UNC2452 Microsoft 365 Hardening Guide.