Updated on 2022-12-16
One of the most interesting APT reports this week came from Proofpoint, which looked at spear-phishing operations from Iranian APT TA453 that deviated from their standard targeting. Lots of interesting stuff in there, like the targeting of travel agencies inside Iran, space programs across the world, women’s rights organizations, and research institutes working on organ replacement. However, the one that caught our eye is highlighted below, and Proofpoint researchers appear to believe this might have been intelligence collection for a potential IRGC on-the-ground espionage operation. Read more: Would’ve, Could’ve, Should’ve…Did: TA453 Refuses to be Bound by Expectations
“Proofpoint observed a Gmail address targeting a Florida-based realtor with a benign conversation and TA453 affiliated web beacon. Open-source research of the realtor identified they were involved in the sale of multiple homes located near the headquarters of US Central Command (CENTCOM) during the phishing campaign. CENTCOM is the US Combatant Command responsible for military operations in the Middle East.”
Updated on 2022-12-14
Iranian hacking group TA453 shifted its focus on U.S. politicians, medical researchers, and critical infrastructure, found Proofpoint. The attacks have been ongoing for two years now. Read more: Would’ve, Could’ve, Should’ve…Did: TA453 Refuses to be Bound by Expectations
Updated on 2022-12-07: APT42
The Human Rights Watch activist group says that two of its staff members have been targeted in a spear-phishing campaign carried out by APT42 (or Charming Kitten), one of Iran’s state-backed cyber-espionage groups. The same campaign also targeted 18 other high-profile activists, journalists, researchers, academics, diplomats, and politicians working on Middle East issues. At least three individuals were compromised, the organization said.
“For the three people whose accounts were known to be compromised, the attackers gained access to their emails, cloud storage drives, calendars, and contacts and also performed a Google Takeout, using a service that exports data from the core and additional services of a Google account.”
Updated on October 2022: TA453 attack
Researchers from CyFirma have published a breakdown of a social engineering attack carried out by the Iranian group TA453. Read more: Advanced Social Engineering Attacks Deconstructed
Updated on 2022-09-19: Iranians went on a U.S. ransomware rampage, DOJ says
Three Iranian hackers with ties to the Iranian government, known as Charming Kitten or APT35, have been charged by U.S. authorities.
APT35 attacked hundreds of organizations, including a domestic violence shelter and power companies in the U.S., and others around the world. The hackers broke in and used Microsoft’s encryption tool, BitLocker, against victims’ data. The DOJ says the hackers were seeking financial gain as a side hustle to their main activities supporting the Iranian government, which Secureworks detailed their activities and infrastructure in a lengthy blog post. The Treasury sanctioned the hackers, and the front businesses they worked for, and even the NSA got in on the announcement. See, isn’t it nice when all of government works together nicely?
Read more in
- Iranians Hacked A Domestic Violence Shelter And U.S. Power Companies In Ransomware Rampage, DOJ Says
- U.S. charges three Iranians for ransomware attacks on women’s shelter, businesses
- Iranian Hackers Accused of Tormenting Domestic Violence Shelter in Pennsylvania
NEW: US sanctions #Iran–#IRGC #cyber actors for #ransomware attacks @USTreasury says the actors "launched extensive campaigns against organizations & officials across the globe, particularly targeting US & Middle Eastern defense, diplomatic, & government personnel" pic.twitter.com/rEbDorMWIt
— Jeff Seldin (@jseldin) September 14, 2022
Updated on September 2022: Charming Kitten OpSec mistakes
PwC researchers published a report detailing the operational security (OpSec) mistakes of Charming Kitten (APT35, Yellow Garuda), an Iranian APT known for making such mistakes for years.
Updated on August 2022: Charming Kitten scraping inboxes
Google’s TAG says it’s uncovered a software tool developed by Iran-backed hackers known as Charming Kitten used to retrieve downloaded emails and other data from Gmail, Yahoo and Outlook accounts, dubbed “HYPERSCRAPE.” It’s not a particularly sophisticated tool but is notable for its “effectiveness in accomplishing Charming Kitten’s objectives,” which mostly targets high-risk users.
Updated on May 2022: Iranian APT Group Launching Ransomware Attacks Against US
Over the past several months, Iran-linked cyberespionage group Charming Kitten, aka APT35, Magic Hound, Phosphorus, NewsBeef, Newscaster and TA—453, has been engaging in financially-motivated activities, the SecureWorks Counter Threat Unit (CTU) reports. In December 2021, the group was acquiring exploits that leveraged Log4J vulnerabilities; in January 2022 they were observed using a new PowerShell backdoor and most recently the group has turned to financially motivated attacks including ransomware deployment.
Note
- At this time the group appears to be small, using manual operations rather than an automated system to map victims to their specific encryption keys; which increases the likelihood of unsuccessful recovery even if the ransom is paid. It is expected that they are also going to, if they haven’t already, be posting exfiltrated data as additional leverage to entice customers to pay. Know where your data is and be prepared to decide the value before someone else puts a price tag on it. If you’re not comfortable with the protection or location, take steps before an incident happens.
- We published multiple detection opportunities for APT35 in this Threat Thursday blog post. While prevention is a goal, detection and response are a requirement. These detections cover a number of TTPs used by other threat actors as well: https://www.scythe.io/library/threat-actor-apt35
Read more in
- Iranian Cyberspy Group Launching Ransomware Attacks Against US
- Iranian APT Cobalt Mirage launching ransomware attacks
Overview: Medical Researchers Targeted in Phishing Campaign
A report from Proofpoint says that state sponsored threat actors have targeted medical researchers in the US and Israel with credential phishing attacks. The campaign began in December 2020. Proofpoint says “the tactics and techniques observed in BadBlood (Proofpoint’s name for the campaign) continue to mirror those used in historic TA453 (aka Charming Kitten) campaigns.”
Note
- Capturing reusable credentials continues to be the “easy button” for getting access to systems and information. In this campaign they are using look-alike sites to harvest credentials, and while users may notice that the 1drv[.]casa is not a legitimate Microsoft login site, many will miss that clue. The more complete solution is ubiquitous multi-factor authentication. Don’t allow any users to opt-out, reducing the effectiveness of captured credentials. If possible, integrate your password processes with breach data checks to identify and trigger updates for passwords which have been breached.
- Almost every time I read a long report about a complex state-sponsored attack, in the first paragraph I’ll see “phishing” and “harvested login-credential.” After that will be catchy names for the threat actor or malware, and descriptions of what the attackers did after easily “harvesting credentials” – i.e., taking advantage of the use of reusable passwords by obvious targets, like sys admins, medical researchers during a pandemic, security researchers, CFOs, etc. There has been a lot of hype recently about “Zero Trust” architectures, which can’t exist when those targets are still using easily compromised credentials.
Read more in
