New Vulnerability Unlocked: Microsoft Exchange Server is Vulnerable to Attackers.
Cybersecurity Analysts have discovered attackers are using a new post-exploitation framework, IceApple. Crowdstrike’s Falcon Overwatch organization, which functions as a cybersecurity threat hunting team.
They said that the post-exploitation framework, which was first seen in late 2021 lurking in areas of technology, academic and government sectors has spread through so many different locations.
The report stated that IceApple is under active development and has been deployed on Microsoft Exchange servers and is capable of running under any Internet Information Services (IIS) web application.
There are 18 different IceApple modules with functionality that includes discovery, credential harvesting, file and directory removals, and data exfiltration. The post-exploitation framework does not provide access to systems, instead it is used to further mission objectives after the exploitation has been successful.
Overwatch stated that the threat actors have been consistently returning back to the victim’s environment to carry out their post-exploitation activities. It was further revealed that the Framework always maintains a low forensic footprint on infected hosts and it has a number of features to evade detection.
Cyber Attackers Aimed for Esponiage
Although IceApple has been developed by an adversary with a high knowledge of the inner workings of IIS software, it is still vulnerable. The researchers observed that aimed at intelligence collection and aligns with a targeted, state-sponsored mission.
The threat actors remain anonymous, but the targeted intrusions are the same as a China-nexus, state-sponsored collection requirement. They stated that the framework is highly sophisticated post-exploitation and is by no means alone.
The Crowdstrike Falcon platform and Overwatch are combining efforts as the first, playing the role of detecting IceApple module loads while the latter hunts new IceApple modules. They stated it’s important to ensure all web applications are fully patched to prevent IceApple from entering into environments.