Organizations operating unpatched Microsoft Exchange servers have been the main target of a marketing campaign by Iranian APT Charming Kitten.
The risk group — additionally referred to as Ballistic Bobcat, TA453 and Phosphorus — used a beforehand unseen backdoor malware within the marketing campaign that’s recognized to have hit not less than 34 victims working throughout a various vary of business verticals.
In a Sept. 11 evaluation of the marketing campaign, ESET researcher Adam Burgher, who found the brand new backdoor used within the marketing campaign, stated all however two of the sufferer organizations have been based mostly in Israel, with the others have been positioned in Brazil and the United Arab Emirates.
The risk group “obtained initial access by exploiting known vulnerabilities in internet-exposed Microsoft Exchange servers by first conducting meticulous scans of the system or network to identify potential weaknesses or vulnerabilities, and subsequently targeting and exploiting those identified weaknesses,” Burgher stated.
The “scan-and-exploit” nature of the marketing campaign meant the compromised organizations have been “victims of opportunity” relatively than pre-selected targets.
The sufferer set covers a various vary of industries — together with automotive, manufacturing, engineering, monetary providers, media, healthcare, expertise and telecommunications — and a few had an “apparent lack of obvious intelligence value” that may usually spark the curiosity of an APT group.
But what the victims did all seem to have in widespread was recognized vulnerabilities left unpatched on their Exchange servers.
ESET recognized a important Exchange distant code execution vulnerability, CVE-2021-26855, because the seemingly technique of preliminary access in 23 of the 34 assaults. Microsoft launched a patch for the vulnerability (which has a CVSS score of 9.8) in March 2021.
Further reinforcing the dangers of not patching recognized vulnerabilities, Burgher stated ESET’s analysis revealed that for 16 of the 34 victims of the marketing campaign, it appeared Charming Kitten was not the one risk actor to have gained access to their methods.
“The group continues to use a diverse open-source toolset supplemented with several custom applications, including its Sponsor backdoor. Defenders would be well advised to patch any internet-exposed devices and remain vigilant for new applications popping up within their organizations,” Burgher stated.
One of the victims of the marketing campaign, an Israeli firm working an insurance coverage market, was initially attacked by Charming Kitten in August 2021. The instruments utilized in that assault have been described three months later in an alert from the Cybersecurity and Infrastructure Security Agency (CISA) and different businesses.
The new backdoor Burgher found, which ESET calls Sponsor, was first deployed as a part of Charming Kitten’s arsenal in September 2021. Written in C++, it permits commonplace backdoor operations together with gathering details about the goal system and importing and downloading knowledge and instructions through a command-and-control server.
The backdoor makes use of configuration information saved on disk that are discreetly deployed by batch information, and intentionally designed to seem innocuous, in an try to evade detection by scanning engines.
“This modular approach is one that Ballistic Bobcat has used quite often and with modest success in the past two and a half years,” Burgher stated.
“Ballistic Bobcat continues to operate on a scan-and-exploit model, looking for targets of opportunity with unpatched vulnerabilities in internet-exposed Microsoft Exchange servers.”
