/blog

██╗  ██╗ █████╗  ██████╗██╗  ██╗███████╗██████╗  ██████╗██╗  ██╗ █████╗ ████████╗
██║  ██║██╔══██╗██╔════╝██║ ██╔╝██╔════╝██╔══██╗██╔════╝██║  ██║██╔══██╗╚══██╔══╝
███████║███████║██║     █████╔╝ █████╗  ██████╔╝██║     ███████║███████║   ██║
██╔══██║██╔══██║██║     ██╔═██╗ ██╔══╝  ██╔══██╗██║     ██╔══██║██╔══██║   ██║
██║  ██║██║  ██║╚██████╗██║  ██╗███████╗██║  ██║╚██████╗██║  ██║██║  ██║   ██║
╚═╝  ╚═╝╚═╝  ╚═╝ ╚═════╝╚═╝  ╚═╝╚══════╝╚═╝  ╚═╝ ╚═════╝╚═╝  ╚═╝╚═╝  ╚═╝   ╚═╝

Author:Shodo

Date:7/19/2021

Title: UK and NATO Allies Put The Blame On China For Microsoft Exchange Attack That Took Place In Early 2021.

Abstract: The UK and NATO allies have released a public statement today putting the blame on Chinese state backed adversaries for the Microsoft Exchange attack from early 2021. UK Foreign Secretary Dominic Raab has stated, “The Chinese Government must end this systematic cyber sabotage and can expect to be held account if it does not.” Source1 This is the first time NATO allies have proposed China be held accountable for its reckless state-backed groups. The two groups being blamed for this attack are to be known as “APT40” and “APT31”. In brief these groups are known for using tactics such as phishing campaigns and enumerating webservers for vulnerabilities. In a blog posted on on FireEye Fred Plan, Et al mentions, “APT40 relies heavily on web shells for an initial foothold into an organization. Depending on placement, a web shell can provide continued access to victims' environments, re-infect victim systems, and facilitate lateral movement.”Source2 For those not familiar a web-shell is a script that is sent to a webserver to enable remote access to the machine via the command line. Most web-shells are caused from misconfigured web applications from vectors such as SQL Injection, Exposed Admin interfaces, and XSS. For more information on webshells refer to Source3.

Sources:

Additional Resources: