Calypso APT, a China-based threat group, has been exploiting vulnerable Microsoft Exchange servers. Since March 1, a large increase has been observed in communications to the PlugX C2 infrastructure associated with this threat group.
What has happened?
The ongoing malicious activity is likely associated with the exploitation of the recently disclosed ProxyLogon vulnerabilities (tracked as CVE-2021-26855, CVE-2021-27065).
- Insikt Group first identified an IP 91[.]220[.]203[.]86 as a suspected PlugX C2 on November 14, 2020.
- Later, it spotted a large increase in activity linked to this C2 server from victim IP addresses hosting Exchange services from March 1.
- Just a day later, the widespread exploitation of Microsoft Exchange vulnerabilities was disclosed. Targeted organizations included local and national governments, software, defense, finance, IT, legal, and manufacturing.
- All these targeted organizations are discovered to be located in Australia, the Czech Republic, Germany, India, Italy, Kazakhstan, Macedonia, Nepal, Switzerland, Ukraine, and the U.S.
The involvement of Calypso was reported by ESET a few days ago, in which the APT group was observed to be targeting vulnerable Exchange servers to deploy web shells and eventually load the PlugX malware.
- A cluster of PlugX C2 servers and infrastructure overlapped with public reporting on Calypso APT by PTSecurity and ESET.
- Insikt Group identified some malware samples, in which two samples were listed in ESET’s reporting.
The recently disclosed Microsoft Exchange vulnerabilities are heavily being exploited by cybercriminals. Additionally, the report mentioned some mitigation tips that should be implemented immediately. These include configuring IDS and IPS systems, installing Exchange server updates, and following industry guidance on hunting for web shells.