{"id":102581,"date":"2022-06-24T06:44:43","date_gmt":"2022-06-24T06:44:43","guid":{"rendered":"https:\/\/www.stellarinfo.com\/blog\/?p=102581"},"modified":"2023-07-20T06:55:28","modified_gmt":"2023-07-20T06:55:28","slug":"toddycat-apt-gang-targeting-microsoft-exchange-servers","status":"publish","type":"post","link":"https:\/\/www.stellarinfo.com\/blog\/toddycat-apt-gang-targeting-microsoft-exchange-servers\/","title":{"rendered":"New ToddyCat APT Gang Targeting Microsoft Exchange Servers"},"content":{"rendered":"

ToddyCat<\/strong>, an Advanced Persistent Threat (APT) gang,has been targeting and exploiting vulnerable Exchange Servers throughout Europe and Asia since December 2020. Between December 2020 and February 2021, the gang targeted and attacked a limited number of entities in Vietnam and Taiwan. The gang exclusively attacked Exchange Servers previously compromised with Samurai — an advanced passive backdoor that works on 443 and 80 ports.<\/p>

They used the malware to execute arbitrary code and multiple modules to remotely administer, control, and move laterally into the targeted network. In some cases, the Samurai backdoor was also used to run another sophisticated Trojan cum loader called Ninja. They also used the China Chopper, a 4 KB web shell, to get access to the server and download and execute another dropper.<\/p>

However, the ToddyCat APT gang started attacking more servers between February 2021 and May 2021. During this wave of attacks, the gang exploited the infamous ProxyLogon<\/strong> RCE vulnerability in the unpatched Exchange Servers. This time the gang targeted many prominent countries, including Russia, Afghanistan, India, Iran, Malaysia, Pakistan, Slovakia, Thailand, and United Kingdom.<\/p>

In the next wave of attacks — until February 2023 — the ToddyCat gang increased the scope of attacks and targeted organizations in Indonesia, Kyrgyzstan, and Uzbekistan, in addition to the previously targeted countries.<\/p>

\"toddycat
Image Source – ToddyCat attack waves (Kaspersky)<\/figcaption><\/figure>

How to Protect your Exchange Server Environment from ToddyCat?<\/h2>

To protect and safeguard your Exchange Server and network infrastructure from ToddyCat or ransomware attacks, install the latest Cumulative Updates and Security Updates on your Exchange Server to patch the vulnerabilities. Also, consider upgrading to the latest version, if your organization is using an older Exchange Server version.<\/p>

In addition, follow the below steps to check your server health and detect vulnerabilities. <\/p>

Step 1: Run MSERT Scan<\/h3>

The Microsoft Safety Scanner or MSERT tool scans servers for any malware or web shells installed on your Windows Server environment and removes them from the system. Here’s how to use it:<\/p>