A report released by ESET researchers on June 10th details a threat group dubbed BackdoorDiplomacy attributed to campaigns targeting Ministries of Foreign Affairs of many African, Middle East, and European countries. The report notes attacks against private industry by BackdoorDiplomacy as well. Researchers noted links between the tactics of BackdoorDipolmacy and several other groups out of Asia using the Turian and Quarian backdoor. ESET goes as far as to claim a link to “CloudComputating” group analyzed by Sophos earlier this year.
BackdoorDiplomacy uses a backdoor named Whitebird.1. BackdoorDiplomacy targets Internet-facing assets specifically F5 BIP-IP, Microsoft Exchange Servers, and misconfigured Plesk servers. It should be noted this group seems to be skilled at intrusions in Windows, Linux and other platforms, working in whatever environment the target leaves vulnerable.
Analyst Notes
BackdoorDiplomacy’s initial compromise involved exploiting vulnerabilities that had patches and mitigations available by vendors, with exception to the misconfigured Plesk server. While this campaign targeted government entities this does not necessarily point to a high degree of sophistication. The group uses known, open-sourced, and or reconfigured tools before and during compromise. With the right team in place maintaining a strong patch management program, a Security Operations Center monitoring the network, and a team of Threat Researchers such the services offered by Binary Defense, the goal of “Defense in Depth” can be realized to effectively defend against adversaries of all skill levels.
https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/
