Outlining a new SiestaGraph backdoor

Threat Level

Attack Report

For a detailed threat advisory, download the pdf file here

Summary

The Foreign Affairs Office of an Association of Southeast Asian Nations (ASEAN) member is targeted by multiple threat actors who are coordinating active campaigns via a vulnerable Microsoft Exchange server. Upon establishing access, the victim’s emails are exported. The attack chain begins with the execution of “SiestaGraph,” which is named for the long sleep timer and the way the backdoor leverages the Microsoft Graph API for command and control.