Irans Charming Kitten Pounces on Israeli Exchange Servers

  /     /     /  
Publicated : 23/11/2024   Category : security


Irans Charming Kitten Pounces on Israeli Exchange Servers


Archrivals face off in the cyber plane, as opportunistic hackers prey on the unpatched and generally negligent.



In the last two years, an Iranian state-backed threat actor has breached 32 Israeli organizations running unpatched Microsoft Exchange servers, deploying a new backdoor along the way.
Charming Kitten — also known as TA453, Phosphorus, and Ballistic Bobcat — is
a decade-plus-old APT
sponsored by the Islamic Republic of Iran. Historically, the group has taken a particular interest
in the United States
and
its benefactors bête noire to the West
, as well as
individual journalists and activists within its own borders
.
However,
it doesnt always limit itself to certain geographic regions
or sectors. In its latest campaign, which
researchers from ESET are calling Sponsoring Access,
Charming Kitten took a so-called scan-and-exploit approach, deploying its new backdoor Sponsor against seemingly any organization in Israel (plus one in Brazil and another in the United Arab Emirates) still running unpatched Microsoft Exchange servers. And its not the first time its taken such an approach.
In November 2021, CISA warned of
Iranian state-sponsored hackers exploiting known critical vulnerabilities
in Fortinet FortiOS and FortiGate, and Microsoft Exchange.
In one case that August, for instance, ESET observed Charming Kitten attack an Israeli organization via
CVE-2021-34473
a 9.8 CVSS-rated critical remote code execution (RCE) vulnerability in MS Exchange. In the months that followed, Charming Kitten used the access afforded by CVE-2021-34473 to drop a series of evolving payloads until, in December, it settled on its latest backdoor: Sponsor.
Sponsor is a largely conventional backdoor that gathers various information about its host and sends it back to a command-and-control (C2) server. It also enables its proprietor to run commands and download files to a targeted machine.
In the last couple of years since CISAs notice, Charming Kitten has returned to this same well over and over, taking advantage of exposed MS Exchange servers to drop Sponsor — as well as any number of open source tools, like Mimikatz and Plink, a command line tool — into any outdated Israeli network.
By targeting only delinquent patchers, Sponsoring Access is above all an opportunistic campaign. This is perhaps best highlighted by one remarkable fact: In 16 of the 34 cases observed by ESET, Charming Kitten was not the only threat actor with access to the compromised network.
Scan-and-exploit, as opposed to a more highly targeted approach, is something that APTs have been doing to try and increase their access to victims, says ESET researcher Adam Burgher, adding that perhaps others are not as widespread as this campaign.
Charming Kittens victims have included a media outlet, a medical law firm, two IT companies, vendors for skin-care products, food, diamonds, and more. The overwhelming majority of targets were Israeli — though, strangely, two were not: one unidentified organization in the UAE, and a medical cooperative and health insurance operator in Brazil.
Luckily, because Sponsoring Access attacks take advantage of a known, fixable vulnerability, theyre also easy to fend off with a simple patch.
Its things that I would tell any corporate entity or any entity that has assets connected to the internet, Burgher emphasizes. Make sure you know what you have thats connected to the internet, patch it, and make sure youve got good audit logs.

Last News

▸ Some DLP Products Vulnerable to Security Holes ◂
Discovered: 23/12/2024
Category: security

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Irans Charming Kitten Pounces on Israeli Exchange Servers