ToddyCat Malware: A Persistent Threat Exploiting ProxyLogon in Microsoft Exchange

The landscape of cyber espionage is constantly shifting, with sophisticated threat actors continually refining their tactics. Among these, the ToddyCat group has emerged as a particularly concerning entity, adept at leveraging critical vulnerabilities to infiltrate high-value targets. Their operations, which began in late 2020, highlight the enduring risk posed by unpatched systems, specifically Microsoft Exchange servers, and underscore the need for rigorous cybersecurity practices.

The Rise of ToddyCat: From Unknown Exploits to ProxyLogon Dominance

ToddyCat first appeared on the radar in December 2020, demonstrating its capability by compromising Microsoft Exchange servers in Taiwan and Vietnam. At this initial stage, the specific vulnerability they exploited remained undisclosed. However, their operational sophistication significantly escalated in February 2021 when they began actively leveraging the infamous ProxyLogon vulnerability. This shift marked a critical turning point, allowing ToddyCat to expand its reach and impact across multiple continents. Their strategic use of such a potent vulnerability positioned them as a serious cyber espionage threat.

Understanding the ProxyLogon Vulnerability

The ProxyLogon vulnerability refers to a chain of exploits primarily affecting Microsoft Exchange servers. Specifically, it involves several critical vulnerabilities, the most prominent being Server-Side Request Forgery (SSRF) and post-authentication arbitrary file write. The primary CVEs associated with ProxyLogon include:

• CVE-2021-26855: A Server-Side Request Forgery (SSRF) vulnerability that allows an unauthenticated attacker to send arbitrary HTTP requests and authenticate as the Exchange server.
• CVE-2021-26857: An insecure deserialization vulnerability in the Unified Messaging service, requiring administrator permissions or another vulnerability to exploit.
• CVE-2021-26858: A post-authentication arbitrary file write vulnerability in Exchange PowerShell.
• CVE-2021-27065: A post-authentication arbitrary file write vulnerability, also in Exchange PowerShell.

Exploiting these vulnerabilities allows attackers to bypass authentication and execute arbitrary code on the Exchange server, leading to full system compromise. ToddyCat’s adoption of ProxyLogon significantly amplified their attack capabilities, enabling them to gain initial access and establish persistence within targeted networks.

ToddyCat’s Modus Operandi and Targeted Organizations

As a cyber espionage group, ToddyCat focuses on sensitive data exfiltration and long-term persistence within compromised networks. While specific details of their post-exploitation activities are not fully detailed in the provided source, their choice of Microsoft Exchange servers as a primary target indicates an interest in email communications and directory services. Such access provides a wealth of intelligence, including sensitive emails, contact lists, and organizational structures, all critical for espionage operations. The “high-profile organizations across multiple continents” mentioned highlights a broad and strategic targeting approach, moving beyond regional interests.

Remediation Actions for ProxyLogon and ToddyCat Threats

Protecting against sophisticated threats like ToddyCat, especially those leveraging critical vulnerabilities, requires a proactive and multi-layered security strategy. For organizations still vulnerable to ProxyLogon or concerned about the broader implications of ToddyCat’s tactics, immediate action is paramount.

• Patching: Apply all available security updates for Microsoft Exchange Server immediately. Microsoft released out-of-band patches for ProxyLogon in March 2021. Ensure these, and all subsequent patches, are installed.
• Vulnerability Scanning: Regularly scan your network for known vulnerabilities, specifically focusing on Exchange servers.
• Compromise Assessment: If patching was delayed or if any suspicious activity is observed, perform a thorough compromise assessment. Look for web shells, unusual processes, new user accounts, and anomalous network connections.
• Network Segmentation: Isolate critical servers like Exchange from less-trusted network segments to limit lateral movement in case of a breach.
• Strong Authentication: Implement multi-factor authentication (MFA) for all administrative accounts and external access to Exchange.
• Endpoint Detection and Response (EDR): Deploy EDR solutions to monitor for suspicious activities on hosts, including web shell creation attempts, unusual process executions, and file modifications.
• Review Logs: Regularly review Exchange server logs, IIS logs, and firewall logs for signs of compromise or attempted exploitation.

Detection and Mitigation Tools

Several tools can assist organizations in detecting ProxyLogon exploitation and a broader range of threats that could indicate ToddyCat activity.

Tool Name	Purpose	Link
Microsoft Exchange On-Premises Mitigation Tool (EOMT)	Mitigates ProxyLogon vulnerabilities for unsupported versions of Exchange.	https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855
Nmap (NSE Scripts)	Network scanner with scripts for detecting vulnerable Exchange versions.	https://nmap.org/
CISA Exchange On-Premises Vulnerability Detection Tools	PowerShell scripts for detecting web shells and other compromise indicators.	https://github.com/cisagov/check-exchange-iis-logs
Microsoft Defender for Endpoint	EDR capabilities for detecting and blocking post-exploitation activities.	https://www.microsoft.com/en-us/security/business/threat-protection/microsoft-defender-for-endpoint

Conclusion

ToddyCat represents a significant and persistent cyber espionage threat, adept at leveraging critical vulnerabilities like ProxyLogon to compromise prominent organizations. Their evolution from exploiting unknown flaws to mastering a high-impact Exchange vulnerability underscores the critical need for robust patch management, continuous monitoring, and proactive incident response strategies. Organizations must prioritize patching, implement strong security controls, and utilize available tools to detect and mitigate the risks posed by such sophisticated actors. Remaining vigilant and adapting security postures to counter evolving threats is non-negotiable in the current cybersecurity climate.