It has been detected that the Chinese-supported APT group Cicada has carried out espionage campaigns targeting government agencies and non-governmental organizations in many countries, including the USA, Canada, Hong Kong, Turkey, Israel, India, Montenegro, and Italy.
It is observed that threat actors take advantage of security vulnerabilities in vulnerable Microsoft Exchange servers to gain initial access to the target network in these attacks.
The following tools have been observed to be used in this attack campaign:
- Mimikatz Loader: Used to download Mimikatz malware responsible for hijacking user credentials from compromised systems.
- WinVNC: Allows remote control of vulnerable systems by threat actors.
- RAR Archiving Tool: It is used to compress, encrypt or archive the files used to gain access to the target network.
- System/Network Discovery Tool: This tool allows threat actors to detect which systems or services are connected to an infected machine.
- WMIExec: WMIExec is a Microsoft command-line tool used to execute commands used by threat actors.
- NBTScan: Used by APT groups for discovery within a compromised network.
After successfully accessing the targeted system, Sodamaster Backdoor, which is used in other Cicada campaigns, is deployed to the system. Sodamaster backdoor can check registry keys or delay the execution to avoid detection, hijack data of targeted systems such as username, hostname, and operating system information, download and execute additional payloads, and mask traffic to a command and control (C&C) server.
It is predicted that threat actors targeting important sectors such as education, health, and justice will continue their attacks in many countries. In this context, in order not to be the target of similar types of attacks, it is recommended to keep the systems and programs used up-to-date, to use reliable Anti-Virus/Anti-Malware solutions, and to block the IoC findings related to the campaign from using security solutions.