Vulnerable Microsoft Exchange servers have been exploited by the nascent advanced persistent threat operation NightEagle, also known as APT-Q-95, to compromise government, technology, and defense organizations across China as part of a cyberespionage campaign, according to The Hacker News.
Intrusions involved the utilization of a .NET loader to deploy a custom iteration of the open-source intranet penetration tool Chisel with altered source code and hardcoded execution parameters into Exchange Server's Internet Information Server service, with the Exchange Server and machineKey compromised through a zero-day flaw, a report from QiAnXin's RedDrip Team showed. "The attacker used the key to deserialize the Exchange server, thereby implanting a Trojan into any server that complies with the Exchange version, and remotely reading the mailbox data of any person," said the report, which has associated the attack with a North American APT due to its time of operations and the sophistication of its operations.
Intrusions involved the utilization of a .NET loader to deploy a custom iteration of the open-source intranet penetration tool Chisel with altered source code and hardcoded execution parameters into Exchange Server's Internet Information Server service, with the Exchange Server and machineKey compromised through a zero-day flaw, a report from QiAnXin's RedDrip Team showed. "The attacker used the key to deserialize the Exchange server, thereby implanting a Trojan into any server that complies with the Exchange version, and remotely reading the mailbox data of any person," said the report, which has associated the attack with a North American APT due to its time of operations and the sophistication of its operations.
