Threat Awareness – New IceApple Toolset Being Deployed on Microsoft Exchange Servers

Security researchers have discovered a new sophisticated post-exploitation framework being primarily deployed on Exchange servers, dubbed IceApple. The toolset was discovered by CrowdStrike after an alert triggered on a new customer’s Microsoft OWA deployment. Researchers believe the developers behind IceApple prioritize keeping a low profile in network environments to achieve long-term objectives in targeted attacks. Since first being observed in late 2021, threat actors behind IceApple have targeted entities in the technology, academic, and government sectors across the globe. IceApple has been deployed on Microsoft Exchange Servers and can also operate in Internet Information Services (IIS) web applications. The framework “comes with at least 18 modules that help the attacker discover relevant machines on the network, steal credentials, delete files and directories, or exfiltrate valuable data,” according to BleepingComputer. Additionally, to avoid detection, IceApple appears to use multiple evasion techniques. Finally, researchers believe that based on the observed behavior of IceApple, its likely operated by a state-sponsored threat actor. Read more at BleepingComputer.