Botconf Author Listing

Hundreds of thousands of Microsoft Exchange servers are exposed to the internet, making this Microsoft’s on-premises email server solution the target of choice for attackers. Since the beginning of 2021, Exchange has been subject to several critical vulnerabilities, including the ProxyLogon, ProxyShell vulnerability chains and their variations. We have been closely monitoring malicious activities related to these vulnerabilities since they were made public and discovered multiple APT groups exploiting them. This presentation will revisit the whole timeline of events and show how attackers systematically exploited these vulnerabilities and for what purpose.

On March 2nd, 2021, Microsoft released out-of-band patches for Exchange. These security updates fixed a pre-authentication remote code execution (RCE) vulnerability chain (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) allowing an attacker to take control of any reachable Exchange servers without valid credentials. This vulnerability chain was first discovered by Orange Tsai, a well-known vulnerability researcher, who named it ProxyLogon and reported it to Microsoft on January 5th.

We discovered that this vulnerability was exploited by more than ten APT groups, starting on February 28th, 2021. They breached high profile organizations, including governments, all around the world.

The Winnti Group, active since at least 2012, is responsible for high-profile supply-chain attacks against the video game and software industries, as well as the healthcare and education sector. Some of their most notorious attacks were against CCleaner (2018) and Asus LiveUpdate (2019), two events that led to the distribution of trojanized software that got millions of computers infected. In 2018, several individuals suspected of being part of the Winnti Group were indicted by the US Department of Justice for conspiring to hack and steal intellectual property and confidential data from US and European companies.

Despite the increased scrutiny towards the group’s activities, Winnti is still highly active. During the last year, we discovered two campaigns of the Winnti Group against several Hong Kong universities, which occurred during the same period that widespread civic protests were sweeping Hong Kong. We also discovered various new campaigns targeting the videogame industry (developers and distributors) in South Korea, Taiwan and Russia.

During this presentation, we will show that not only is the Winnti Group still actively using and maintaining its flagship backdoor ShadowPad along with the Winnti malware family, but also that they extended their arsenal with new tools such as PipeMon (a modular backdoor) and some new and undocumented implants.

Video upon request to the author.

This presentation is the result of a long-term research uncovering new unpublished details on the arsenal of the Winnti umbrella. The Winnti umbrella consists in multiple threat actors having in common the use of a custom backdoor for their operations, the Winnti malware. It is active since at least 2009 and is mostly targeting the video-game industry even though it is also known to have compromised other high-profile targets such as the pharmaceutical industry. They are also known for certificates theft used to sign their malwares.