Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Severity
High
Analysis Summary
A Turla backdoor targeted at Microsoft Exchange mail servers and controllable remotely via email attachments using steganography was discovered while used in attacks against multiple targets from around the world.
The specific targeting of Microsoft Exchange servers by malware is in itself unique, but even more interesting is the use of Transport Agents as a persistence mechanism. Transport Agents are used in a Microsoft Exchange mail flow to allow custom software to be involved in the processing of email messages. By creating a custom Transport Agent, the Turla threat group was able to apply a custom rule-set to emails passing through compromised Exchange servers allowing them to read, modify, compose, send, or delete emails. Using the rule file for the Transport Agent, the attackers implemented handlers that included the ability to execute commands. If an attacker sends an email to the victim organization with either a PDF or JPG attachment, a rule is applied that decodes commands that were hidden in the documents via steganography methods. The commands enable full control over the Exchange server via functions such as executing processes, exfiltrating files, and writing executables.
Impact
Indicators of Compromise
Malware Hash (MD5/SHA1/SH256)
Affected Vendors
Microsoft
Affected Products
Remediation
Block all threat indicators at your respective controls.