Threat Actor Profile Updated 2 months ago
Download STIX
Preview STIX
UNC3524, also known as Cranefly, is a newly identified threat actor suspected of espionage activities. This group primarily targets corporate emails, focusing on employees involved in corporate development, mergers and acquisitions, and large corporate transactions. UNC3524 has demonstrated serious commitment to maintaining its presence within compromised systems. The initial compromise method remains unknown; however, once access is gained, the group deploys a novel backdoor named QUIETEXIT, tracked by Mandiant. This backdoor is based on the open-source Dropbear SSH client-server software and supports full SSH functionality, which UNC3524 uses to establish a SOCKS tunnel into victim environments. The activities of UNC3524 have now been attributed to APT29. Interestingly, their use of the tool REGEORG matches identically with the version reported by the NSA as used by APT28. While APT28 utilized TOR and commercial VPNs, UNC3524 primarily exploits compromised internet-facing devices. They target opaque network appliances, often the most insecure and unmonitored systems within a victim's environment. This approach makes host-based hunting and detection extremely difficult, as UNC3524 can avoid detection by operating from compromised infrastructure connected directly to the public internet, such as IP cameras. Detection of UNC3524's activities is challenging due to their use of compromised appliances. It is believed that they exploit default credentials rather than using an exploit to compromise these devices, forming an IoT botnet. Once authenticated to the exchange infrastructure, UNC3524 extracts mail items from targeted mailboxes through EWS API requests. In each victim environment, they focus on a subset of mailboxes, particularly those belonging to executive teams, corporate development, mergers and acquisitions staff, or IT security personnel. For effective detection methods and configuration recommendations, refer to Mandiant's UNC2452 Microsoft 365 Hardening Guide.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
APT29, also known as Cozy Bear, Nobelium, The Dukes, Midnight Blizzard, SVR group, and BlueBravo, is a notable threat actor linked to Russia. This group has gained notoriety over the years for its sophisticated cyberattacks against various targets. Recently, APT29 exploited a zero-day vulnerability
QUIETEXIT is a novel malware deployed by threat group UNC3524, primarily used for long-haul remote access. It operates by being installed on opaque network appliances within the victim environment, such as SAN arrays, load balancers, and wireless access point controllers, effectively creating backdo
Regeorg is a threat actor known for its malicious activities in the cyber landscape. Notably, operators of LuckyMouse initiated an attack by dropping the Nbtscan tool in C:\programdata\, followed by installing a variant of the ReGeorg webshell and issuing a GET request using curl. They then tried to
Cranefly, also known as UNC3524, is a threat actor group known for its sophisticated cyberattacks and stealthy techniques. These entities, which could be individuals, private companies, or even government entities, execute actions with malicious intent, often breaching cybersecurity systems to gathe
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Lateral Move...
Web Shell
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
APT28, also known as Fancy Bear, is a threat actor believed to be linked to the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). This group has been implicated in several high-profile cyber-espionage activities. Notably, they were behind a large-scale malwar
UNC2452, also known as APT29, Cozy Bear, Nobelium, and Midnight Blizzard, is a highly skilled and disciplined threat actor group linked to Russia's SVR intelligence agency. The group gained notoriety for its role in the SolarWinds compromise in December 2020, an extensive cyberattack that involved a
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the UNC3524 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
a year ago
Lazarus Group Targets Microsoft IIS Servers
7 months ago
UNC3524: Eye Spy on Your Email