Reports of IICS web application penetration testing experts mentioned that a group of Russian cyber spies created one of the most advanced backdoors that have been thought to attack by an email server.
The LightNeuron backdoor
was specially developed to attack Microsoft
Exchange email servers and, according to web application penetration
testing experts, it works as a mail transfer agent (MTA), a method never seen
before in a backdoor. “Probably this is the first malicious software
designed to specifically target Microsoft Exchange”, mentioned one of the
specialists.
Experts mention that LightNeuron allows threat
actors to get full control over all the activities of the infected server; thus,
attackers can intercept, redirect, and even edit incoming and outgoing email on
the compromised server.
Cyber spying operations perpetrated by this
group, identified as Turla, appear to have emerged from a sci-fi tale. On
previous occasions, this group has hijacked satellites to deploy malware hidden
in Instagram comments, and have even taken control of the entire infrastructure
of Internet service provider companies.
Web application penetration testing specialists
mention that Turla has used the backdoor LightNeuron at least for the last five
years, a factor that demonstrates the advanced capabilities of this criminal
group to bypass police agencies since 2014.
The specialists say that they have already
detected three victims of this attack, although the names of the affected
organizations were not revealed, the experts mentioned some details:
- One
of the victims is a Brazilian organization - The
Ministry of Foreign Affairs of a European country - A
Middle Eastern diplomatic organization
According to the experts of the International
Institute of Cyber Security (IICS), LightNeuron’s highlight is its command and
control mechanism. Once a Microsoft Exchange server is infected and modified
with LightNeuron, hackers will never connect to it directly, but will send
emails with PDF or JPG attachments.
Using the steganography, the hackers hide the
commands in the attached images, these commands are subsequently read by the
backdoor to finally be executed, this makes it extremely complex to detect an
attack attempt by Turla.
