Discovered in December 2020, APT ToddyCat has targeted high-profile victims within the military and government sectors. Their targets include organizations in Vietnam, Taiwan, India, the U.K., Russia, and Iran. Although ToddyCat is a relatively new APT, the threat actor has been responsible for several attacks since their emergence.
ToddyCat is known for exploiting Microsoft Exchange server flaws, including ProxyLogon. The group’s goal appears to be related to geopolitical interests and they have conducted several campaigns. Let’s take a look at ToddyCat’s techniques and tactics, and why it’s important to implement cyber security best practices to prevent an attack from APTs like ToddyCat.
As we stated previously, ToddyCat is a new APT that is unrelated to other known actors. The group has been active since December 2020 and has attacked several high-profile organizations within the government and military sectors. During that time, ToddyCat started its campaign off by compromising Microsoft Exchange Servers in Taiwan and Vietnam by using an unknown exploit.
The unknown exploit led to the creation of the web shell, China Chopper. The web shell was used to initiate a multistage infection chain, which included custom loaders used to stage a passive backdoor called Samurai. Between December 2020 and February 2021, ToddyCat was observed targeting three organizations in Taiwan and Vietnam.
It wasn’t until February 26, 2022, into early March 2022, that the APT escalated their attacks and began abusing ProxyLogon to compromise several unnamed organizations across Europe and Asia. ToddyCat was able to scan for and target unpatched Microsoft Exchange servers across the two continents. It is suspected that ToddyCat abused the ProxyLogon vulnerability in December 2020, which allowed them to gain remote code execution on vulnerable servers to deploy China Chopper webshells.
In March 2021, ESET Research published a report detailing the attack of exchange servers from at least ten APT groups. At the time ToddyCat was still unnamed, but the group was one of the APT’s targeting the servers and exploiting Microsoft Exchange vulnerabilities. Other threat actors (also APTs) included LuckyMouse, Tick, Winnti Group, and Calypso.
The Microsoft Exchange vulnerabilities were discovered by security researcher, Orange Tsai, and the cluster of activity observed by ESET Research was named Websiic. The researchers observed the cluster targeting seven email servers that belonged to private companies – with domains in the IT, engineering, and telecommunications sectors. ESET Research suspected that the operators behind the cluster had access to the Microsoft exchange vulnerabilities before a patch was released.
Websiic was identified due to the presence of a loader as its first staged named google.log or google.aspx, and an encrypted configuration file, named access.log. According to ESET Research, the loader stops a service that is identified in the config and creates a new entry under the Windows registry. After the loader was deployed on the victims from Websiic, the second stage loader was observed on one of the victim’s computers. As a result, seven victims were flagged by the presence of the first loader.
Image 1: ToddyCat's Infection Window
Samurai is the final stage of ToddyCat’s infection chain and was used during the second wave of Microsoft Exchange server attacks – targeting Iran, Russia, the U.K., and India. Samurai is a passive backdoor that usually works on ports 80 and 443. The backdoor allows arbitrary C# code execution and is used with modules that allow ToddyCat operators to control the remote system and move laterally inside a network.
In some cases, Samurai was observed being used to launch another malicious program called Ninja. Ninja is more than likely a component of an unknown-post exploitation toolkit that’s exclusive to ToddyCat. A collaborative tool, Ninja allows several operators to work on the same machine at the same time. Ninja allows ToddyCat to control remote systems, avoid detection, and penetrate a targeted network via a large set of commands.
The next wave of attacks from ToddyCat began May 2021 and lasted until February 2022. The APT targeted the same cluster of countries named during the first wave of attacks, but also included organizations from Uzbekistan, Kyrgyzstan, and Indonesia. During this phase, ToddyCat expanded even more and included desktop systems in addition to Microsoft Exchange servers.
ToddyCat favors attacking high-profile organizations within the military and government, including military contractors. The victims seem to be linked to industry sectors and countries that have been targeted by Chinese speaking groups.
As of late, there has been an uptick in APT activity, and they are becoming more visible as the weeks progress. Since the war between Russia and Ukraine began, APTs like Muddy Water, Aoqin Dragon, Bronze Mohawk, Bronze Starlight, and ToddyCat have taken advantage of the fact that most cyber security researchers and analysts have their attention on the Russia Ukraine cyber war.
Unlike data extortion groups and ransomware groups, APTs like ToddyCat are not after money. Their purpose is to glean classified data, trade secrets, and other forms of intellectual property that can be used politically. At the moment, there are no reports of ToddyCat demanding ransoms from their targets. Just like other politically motivated groups, ToddyCat targets large and high-value organizations within a small community – military and government.
However, some APTs are starting to use ransomware to disguise their cyberespionage activities. Bronze Starlight is a China linked state-sponsored APT that uses HUI Loader to drop ransomware like Rook and LockFile. Bronze Riverside is another APT that uses HUI Loader to drop ransomware. The goal of these APTs is to distract incident responders by deploying the ransomware and to destroy evidence of an intrusion.
According to SecureWorks, Bronze Starlight is only interested in cyberespionage due to their operational cadence and victimology not aligning with financially motivated cyber crime operations. Their ransomware targets a small number of victims over a short period of time and then ceases operations permanently – an operational cadence that is not indicative of a financially motivated group.
APTS like Bronze Starlight and ToddyCat are persistent and will stay in their victim’s networks and systems for months or years before they are discovered. ToddyCat uses several techniques to avoid detection and keep a low profile, making it extremely difficult for them to be detected by analysts. Unfortunately, by the time they are discovered it’s too late and they’ve already taken the information they were after.
One of the ways ToddyCat was able to infiltrate their victim’s networks and systems was through unpatched Microsoft Exchange servers. Patching is a cyber security best practice that gets overlooked but is just as important as having the latest advanced threat hunting tools. When cyber security professionals talk about patching devices, they are simply saying that you need to apply updates to your software as those updates become available.
Common areas that will need patches include operating systems, applications, and embedded systems (like network equipment). When a bug is found after the release of a piece of software, a patch can be used to remediate it. Patching helps ensure that assets in your environment are not vulnerable to attackers.
In 2017, Equifax suffered a data breach that affected over 145 million people. It was one of the largest breaches of its kind in history and was the result of an employee who didn’t apply the most recent patch for Apache Struts. The patch was available for two months before the company was breached.
Another example of how important it is to patch is the Log4Shell exploit. In January 2022, Avertium’s Cyber Threat Intelligence team published a Threat Intelligence Report detailing the Log4Shell (CVE-2021-44228). Log4Shell was a zero-day critical vulnerability found in the Apache Log4j2 Java-base logging library. The flaw was an unauthenticated remote code execution vulnerability that allowed for complete system takeover. Attackers had the ability to install cryptominers, steal data, and steal credentials.
Major enterprises like Amazon, Apple, and Tesla were all affected by Log4Shell, and cyber security professionals were in a hurry to come up with a solution to this massive problem. The situation quickly went from bad to worse when it was discovered that the first patch Apache issued for CVE-2021-44228 didn’t exactly fix the problem.
After the news broke about how easy it was to exploit Log4j2, threat actors made swift moves. Log4Shell resulted in massive world-wide scanning with the payloads running from miners, Unix DDoS malware, and framework stagers pushed to compromised hosts. Several threat actors took advantage of the Log4Shell exploit, with one of those threat actors being Conti.
Additionally, The Iranian threat actor, DEV-0270, and Chinese APT, APT10, were among the first to aggressively exploit Log4Shell. Mandiant observed reconnaissance activity linked to APT10 and DEV-0270 successfully attacked multiple U.S. companies via ransomware deployments.
One would think that because Log4Shell was so dangerous and easy to exploit, that organizations would rush to patch their devices. However, in March 2022 researchers at Qualys’s found that more than 150 million IT assets across the world had vulnerable application installations of Log4j, with 80% of them being open-source applications. Of those application installations, 30% of Log4j instances were vulnerable to exploitation and only 70% of the Apache Log4j applications had been patched. Developers were still downloading vulnerable versions of Log4j. Not patching and downloading vulnerable versions of software was how threat actors were still able to exploit Log4Shell.
Because leaving devices unpatched leads to cyber attacks, the FTC issued a strong warning to organizations who don’t patch their devices. The warning stated that the FTC will use its full legal authority and pursue companies who fail to patch vulnerable devices. Data breaches, financial loss, and other irreversible damage can happen as the result of not patching. Organizations should not wait until the eleventh hour to patch devices when so many people rely on them to keep their information safe.
Once an APT like ToddyCat is inside a network, it can give them unlimited access to do further reconnaissance. Chinese APTs are some of the world’s oldest and most skilled when it comes to cyber espionage. Avertium is here to keep your organization safe and to mitigate any attacks caused by Chinese APTs like ToddyCat:
This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.
Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of Client's compliance with any law, regulation or standard.
COPYRIGHT: Copyright © Avertium, LLC and/or Avertium Tennessee, Inc. | All rights reserved.