Reports of IICS web application penetration testing experts mentioned that a group of Russian cyber spies created one of the most advanced backdoors that have been thought to attack by an email server.
The LightNeuron backdoor was specially developed to attack Microsoft Exchange email servers and, according to web application penetration testing experts, it works as a mail transfer agent (MTA), a method never seen before in a backdoor. “Probably this is the first malicious software designed to specifically target Microsoft Exchange”, mentioned one of the specialists.
Experts mention that LightNeuron allows threat actors to get full control over all the activities of the infected server; thus, attackers can intercept, redirect, and even edit incoming and outgoing email on the compromised server.
Cyber spying operations perpetrated by this group, identified as Turla, appear to have emerged from a sci-fi tale. On previous occasions, this group has hijacked satellites to deploy malware hidden in Instagram comments, and have even taken control of the entire infrastructure of Internet service provider companies.
Web application penetration testing specialists mention that Turla has used the backdoor LightNeuron at least for the last five years, a factor that demonstrates the advanced capabilities of this criminal group to bypass police agencies since 2014.
The specialists say that they have already detected three victims of this attack, although the names of the affected organizations were not revealed, the experts mentioned some details:
- One of the victims is a Brazilian organization
- The Ministry of Foreign Affairs of a European country
- A Middle Eastern diplomatic organization
According to the experts of the International Institute of Cyber Security (IICS), LightNeuron’s highlight is its command and control mechanism. Once a Microsoft Exchange server is infected and modified with LightNeuron, hackers will never connect to it directly, but will send emails with PDF or JPG attachments.
Using the steganography, the hackers hide the commands in the attached images, these commands are subsequently read by the backdoor to finally be executed, this makes it extremely complex to detect an attack attempt by Turla.