LightNeuron Microsoft Exchange Backdoor

LightNeuron is a backdoor trojan associated with Turla, an advanced persistent threat group, specifically targeting Microsoft Exchange email servers. The malware operates as a transport agent in order to gain access and control over any email flowing through the system.

Threat ID:: CC-3050
Category:: Backdoor
Threat Severity:: Medium
Threat Vector:: Backdoor, Email
Published:: 9 May 2019 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Affected platforms

The following platforms are known to be affected:

Microsoft Exchange Server

Microsoft Exchange - All versions

Threat details

Transport agents are legitimate programs typically used for adding corporate signatures to emails and the filtering of spam, malicious emails and attachments.

At the time of publication, LightNeuron has been observed to be downloaded and installed on previously compromised systems via a PowerShell script. It is unclear if this is the only method of delivery.

Once infected the attacker controls LightNeuron via emails sent to the server. These emails contain commands hidden in PDF and JPG attachments using steganography. After the commands have been processed the email is blocked so it will not be delivered to the final recipient.

Please note that, at the time of publication, transport agents are not supported in Office 365 or Exchange Online. As such these products are unaffected by this malware.

For further information:

Turla LightNeuron: One email away from remote code execution' white paper (ESET Research & Faou, 2019)

Remediation steps

Type	Step
	Deletion of LightNeuron’s files will disable Microsoft Exchange functionality, possibly necessitating re-installation or re-imaging. Detailed removal guidance is available in the ESET white paper. To prevent and detect a LightNeuron infection, ensure that: All installed transport agents are signed by a trusted provider and reviewed periodically. A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails. All operating systems, anti-virus and other security products are kept up-to-date. Regular anti-virus and security scans are performed on your organisation’s estate. All day-to-day computer activities such as email and internet are performed using non-administrative accounts. Strong password policies are in place. Network, proxy and firewall logs should be monitored for suspicious activity. User accounts accessed from affected devices should be reset on a clean computer. Your organisation adopts a holistic all-round approach to Cyber Security as advocated by the 10 Steps to Cyber Security.

Type

Step

Deletion of LightNeuron’s files will disable Microsoft Exchange functionality, possibly necessitating re-installation or re-imaging. Detailed removal guidance is available in the ESET white paper.

To prevent and detect a LightNeuron infection, ensure that:

All installed transport agents are signed by a trusted provider and reviewed periodically.
A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails.
All operating systems, anti-virus and other security products are kept up-to-date.
Regular anti-virus and security scans are performed on your organisation’s estate.
All day-to-day computer activities such as email and internet are performed using non-administrative accounts.
Strong password policies are in place.
Network, proxy and firewall logs should be monitored for suspicious activity.
User accounts accessed from affected devices should be reset on a clean computer.
Your organisation adopts a holistic all-round approach to Cyber Security as advocated by the 10 Steps to Cyber Security.

Last edited: 14 February 2020 2:51 pm