Iranian hackers are targeting critical infrastructure organizations with brute force tactics. This article explores their techniques, including MFA…

Iranian hackers are targeting critical infrastructure organizations with brute force tactics. This article explores their techniques, including MFA push bombing and credential theft. Learn how to protect your organization from these advanced threats and implement effective security measures.

A joint cybersecurity advisory issued by CISA, FBI, NSA, and international partners warns critical infrastructure organizations about Iranian hackers targeting their networks. These threat actors gain unauthorized access to critical infrastructure across various sectors, including healthcare, government, IT, engineering, and energy.

The attackers primarily rely on brute force tactics like password spraying exploiting common password combinations across multiple accounts to gain access. However, they also employ other methods for initial compromise, which are currently unknown.

According to the advisory, hackers have been using valid email accounts, often obtained through brute force, to gain initial access to Microsoft 365, Azure, and Citrix systems. In some instances, the actors exploit vulnerabilities in multi-factor authentication (MFA) by bombarding users with login requests until they accidentally approve access. This technique is known as “MFA fatigue” or “push bombing.”

In two confirmed cases, attackers exploited a compromised user’s open MFA registration and a self-service password reset tool linked to a public-facing Active Directory Federation Service. These threat actors may also take advantage of expired passwords or compromised accounts to gain initial access.

****Credential Theft and Maintaining Persistence:****

Once inside the network, the Iranian actors take steps to maintain persistent access. This often involves registering their own devices with MFA using compromised accounts to maintain access even if the legitimate user’s password is changed.

In addition, they leverage techniques like Remote Desktop Protocol (RDP) to move laterally within the network, allowing them to access additional resources and potentially escalate privileges.

The attackers utilize various methods to steal additional credentials within the network. This may involve using open-source tools to harvest credentials or exploiting vulnerabilities to access Active Directory information. They may also attempt to escalate privileges, potentially granting them higher levels of control within the system. This could allow them to manipulate or disrupt critical systems.

****Living off the Land (LOTL):** **

Iranian threat actors leverage legitimate system tools and techniques to gather information about the network and identify valuable targets. This approach, known as “living off the land,” allows them to evade detection by appearing as legitimate users.

The actors can use various Windows command-line tools to gather information about domain controllers, trusted domains, and user accounts. Additionally, they may use specific queries to search Active Directory for detailed information about network devices.

Avishai Avivi, CISO at SafeBreach, emphasizes that the CISA alert on Iranian cyber actors is a timely reminder, especially during cybersecurity awareness month, about the abuse of “MFA Exhaustion.” He warns that malicious actors hope users will mindlessly approve MFA requests. Avivi advises users to always verify MFA prompts to ensure they initiated the session, as attackers frequently test stolen credentials and aim to exploit MFA fatigue. Although the alert focuses on critical infrastructure, this diligence applies to protecting both personal and work accounts.

****The End Goal****

The primary goal of this campaign is believed to be credential theft and information gathering. Once they gain access, they can steal user credentials and internal network information. They may download files related to gaining remote access to the organization or its inventory. This information could then be used for further malicious activity such as data exfiltration or sold on cybercriminal forums.

The advisory recommends critical infrastructure organizations implement strong password policies and enforce multi-factor authentication (MFA) for all user accounts, and MFA settings should be regularly reviewed to prevent vulnerabilities.

1.  Censys Uncovers Hidden Infrastructure of Iranian Fox Kitten Group
2.  Iran’s MuddyWater APT Hits Saudis, Israelis with BugSleep Backdoor
3.  Iranian State Hackers Team Up with Ransomware Gangs to Attack US
4.  Dutch Man Deployed Stuxnet via Water Pump to Disable Iran’s Nukes
5.  Iran’s Peach Sandstorm Deploy FalseFont Backdoor in Defense Sector

Iranian Hackers Target Microsoft 365, Citrix Systems with MFA Push Bombing

Traditional practices are no longer sufficient in today's threat landscape. It's time for cybersecurity professionals to rethink their approach.

Malleswar Reddy Yerabolu, Senior Security Engineer, North Carolina Department of Health and Human Services

October 18, 2024

5 Min Read

Source: Olekcii Mach via Alamy Stock Photo

COMMENTARY  
In today's interconnected digital landscape, supply chain attacks are no longer an anomaly — they're a persistent, growing threat. From SolarWinds to Kaseya, high-profile breaches have demonstrated that attackers are increasingly exploiting vulnerabilities in the supply chain to infiltrate targets at scale. For cybersecurity professionals, the days of relying on traditional vendor risk management are over. A broader, more proactive approach to securing the supply chain is required — one that goes beyond checklists and questionnaires. 

**The Shortcomings of Traditional Vendor Risk Management**

Historically, organizations have relied on static risk assessments and due diligence processes to evaluate their suppliers. This involves vetting vendors using questionnaires, compliance audits, and sometimes even on-site assessments. While these methods help ensure compliance with industry regulations and basic cybersecurity hygiene, they are no longer enough to combat today's sophisticated supply chain attacks. 

The major flaw of traditional vendor risk management is that it assumes security is a one-time evaluation rather than an ongoing process. A vendor might pass an initial audit, but what happens when it updates its software or onboards a third-party subcontractor? Additionally, static assessments rarely account for zero-day vulnerabilities or the rapid evolution of threat landscapes. In short, by the time an assessment is complete, the information is often outdated. 

**Proactive Supply Chain Monitoring: A New Paradigm**

A more effective approach to supply chain security involves continuous, real-time monitoring of vendors. Rather than waiting for the next audit or questionnaire cycle, organizations should be leveraging tools that provide up-to-date visibility into their vendors' cybersecurity postures. 

There are several ways this can be accomplished: 

*   Third-party risk management platforms: Platforms like BitSight and Security Scorecard allow organizations to monitor the external security posture of their vendors continuously. These platforms aggregate data from public sources, including open vulnerabilities, SSL configurations, and even mentions of potential breaches, to give security teams real-time insights into potential risks. 
    
*   Threat intelligence integration: By integrating threat intelligence feeds into the vendor risk management process, organizations can identify whether any vendors are being actively targeted by attackers, or if their infrastructure is compromised. This dynamic approach goes beyond static questionnaires, allowing organizations to act quickly in response to emerging threats. 
    
*   Continuous penetration testing: Routine penetration testing is no longer a luxury; it's a necessity. Regular testing of vendors' systems ensures that vulnerabilities are identified and mitigated before attackers can exploit them. With the increasing automation of penetration testing tools, this process can be made continuous rather than sporadic.
    

**Blockchain for Enhanced Supply Chain Transparency**

Another innovative solution to supply chain security challenges is the use of blockchain for transparency and traceability. Blockchain technology allows for the creation of immutable audit trails, making it possible to trace the origin of every component in the supply chain. This can be especially valuable in industries like pharmaceuticals or critical infrastructure, where counterfeit products or compromised components can have catastrophic consequences. 

By using blockchain, organizations can verify that every link in the supply chain adheres to security standards and hasn't been tampered with. In addition, smart contracts on blockchain can enforce compliance, triggering alerts or even actions (such as revoking access) when deviations from agreed-upon standards occur. 

**Managing Access: A Dynamic Approach to Vendor Permissions**

One critical element of supply chain cybersecurity that is often overlooked is how vendors access internal systems. Traditional models grant vendors broad access to systems and data, often far beyond what is necessary. This presents a significant risk, as compromising a single vendor's account could grant an attacker the keys to an organization's entire network. 

A more dynamic approach involves implementing zero-trust principles, where vendors are granted the minimum necessary permissions, and access is constantly reevaluated. This can be done through: 

*   Granular access control: Leveraging role-based access controls (RBAC) or even attribute-based access controls (ABAC) ensures that vendors have access only to the resources they need at any given time. 
    
*   Behavioral monitoring: Continuous monitoring of vendor behavior within your systems can help detect abnormal activity that might indicate a compromise. AI-driven anomaly detection tools can provide early warning signs that a vendor's account has been hijacked. 
    
*   Just-in-time access: Some organizations are adopting just-in-time (JIT) access, where vendors are granted temporary access to systems only when required, and access automatically expires after a predefined period. This minimizes the risk of persistent backdoors being left open. 
    

**Collaboration Across the Supply Chain**

Lastly, improving supply chain security requires collaboration between all stakeholders. Organizations must foster a culture of shared responsibility, where security is not viewed as the sole responsibility of individual vendors but as a collective effort. This can be achieved through: 

*   Security scorecards for vendors: Regularly sharing security posture reports with vendors encourages transparency and accountability. These reports can highlight areas where vendors need to improve and set clear expectations for remediation. 
    
*   Vendor security workshops: Hosting workshops or training sessions for vendors can help elevate their understanding of modern security practices and ensure that their teams are equipped to mitigate risks. 
    

**A Call to Action**

The time has come for cybersecurity professionals to rethink their approach to supply chain security. Traditional vendor risk management practices are no longer sufficient in today's threat landscape. By adopting continuous monitoring, leveraging blockchain for transparency, and implementing dynamic access control, organizations can build more resilient supply chains that are harder for attackers to compromise. 

Ultimately, securing the supply chain is not just about protecting your vendors — it's about safeguarding your entire business ecosystem. 

**About the Author**

Senior Security Engineer, North Carolina Department of Health and Human Services

Malleswar Reddy Yerabolu is a senior security engineer with more than seven years of experience in vulnerability management, threat analysis, and security architecture across financial, hospitality, government, and communication sectors. He specializes in leveraging AI, machine learning (ML), and natural language processing (NLP) to enhance threat detection and automate security processes. His research focuses on integrating AI and NLP to optimize cybersecurity solutions. Malleswar’s innovative approach helps organizations reduce risks and strengthen their defenses against evolving cyber threats. He holds a master’s degree in computer engineering from California State University.

Supply Chain Cybersecurity Beyond Traditional Vendor Risk Management

North Korean hackers are infiltrating Western companies using fraudulent IT workers to steal sensitive data and extort ransom.…

North Korean hackers are infiltrating Western companies using fraudulent IT workers to steal sensitive data and extort ransom. Learn how to identify these deceptive tactics and protect your organization from this growing threat. Secureworks reveals the latest strategies employed by the North Korean threat group NICKEL TAPESTRY.

A recent report by cybersecurity firm Secureworks has exposed a disturbing but not-so-new tactic employed by North Korean hackers. They are infiltrating Western companies by posing as legitimate IT workers, stealing sensitive data, and then demanding ransom for its return. 

The mastermind behind this scheme is a North Korean hacking group known as Nickel Tapestry. The group operates from “laptop farms,” using stolen or falsified identities to fool HR departments at companies across the US, UK, and Australia. Often applying for developer positions, they utilize a variety of tactics to evade and conceal their identities/locations.

For instance, they request changes to delivery addresses for corporate laptops, often rerouting them to laptop farms, and sometimes they express a strong preference for using personal laptops and virtual desktop infrastructure (VDI) setups, a tactic previously warned by the FBI. This allows them to remotely access company networks without leaving a trace.

Also, they often exhibit “suspicious financial behaviours” such as frequent changes to bank account information or utilizing digital payment services to bypass traditional banking systems.

Additionally, the group uses residential proxy addresses and VPNs to mask their actual IP addresses. They also use “Splitcam” software during video calls to simulate video calls, avoiding the need to enable their webcams by creating fake AI clones of themselves. 

In one case, a fake worker gained access to a company’s network, exfiltrated sensitive data, and then – after being fired for poor performance – demanded a six-figure ransom for its return. This extortion element significantly increases the potential financial damage caused by these attacks. 

“The emergence of ransom demands marks a notable departure from prior NICKEL TAPESTRY schemes. However, the activity observed prior to the extortion aligns with previous schemes involving North Korean workers,” Secureworks’ Counter Threat Unit research team wrote in the report.

Perhaps most disturbing is the evidence of collaboration between these fake workers. They may provide fake references for each other, perform job duties on each other’s behalf, and even communicate via email while masquerading as different individuals. In one instance, researchers believe a single individual may have adopted multiple personas to further the scam.

Scam chain (Via SecureWorks)

****You’ve Been Warned!****

This IT worker scam isn’t new. Similar tactics have been observed since 2018, with fraudulent workers securing positions at Fortune 100 companies and funnelling stolen intellectual property back to North Korea to potentially fund weapons programs, including weapons of mass destruction.

In May 2022, the US government warned organizations to beware of North Korean hackers in the guise of IT freelancers claiming to be non-DPRK (Democratic People’s Republic of Korea) nationals.

In July 2024, North Korean hackers attempted another fake hiring scheme, this time targeting KnowBe4, a prominent U.S.-based cybersecurity company. In this case, a hacker posed as an IT worker and managed to secure employment with the company. The next step in the attack involved installing malware on a company-issued MacBook, intending to compromise KnowBe4’s systems.

****Protection Measures****

How can companies protect themselves from this evolving threat? Secureworks recommends thorough background checks and verification of candidate identities. Researchers suggest that a candidate’s work traits, such as applying for a full stack developer position, claiming 8-10 years of experience, and having novice to intermediate English skills, are the biggest red flags.

Additionally, unusual communication hours, varying communication styles, excuses for not enabling cameras during interviews, and a call center-like tone should trigger further investigation.

1.  **Feds Bust N. Korean Identity Theft Ring Targeting US Firms**
2.  **Hackers used fake job website to scam jobless US veterans**
3.  **Fake LinkedIn job offers scam spreading More\_eggs backdoor**
4.  **Fake GitHub Repos Caught Dropping Malware as PoCs AGAIN!**
5.  **Employee Duped by AI-Generated CFO in $25.6M Deepfake Scam**
6.  **Fake PoC Script Tricked Researchers into Downloading VenomRAT**

Fake North Korean IT Workers Infiltrate Western Firms, Demand Ransom

Plus, a zero-day vulnerability in Qualcomm chips, exposed health care devices, and the latest on the Salt Typhoon threat actor.

Thursday, October 17, 2024 14:00

When I first interviewed with Joel Esler for my position at Cisco Talos, I remember when the time came for me to ask questions, one thing stood out. I asked what resources were available to me to learn about cybersecurity, because I was totally new to the space.  

His answer: The people. When I asked that question, Joel told me that the entire office was a library for me. He told me to just ask as many questions as I could. 

Coming from journalism, where I was reporting on a range of topics from local government, finance and banking, art and culture, and sports, cybersecurity was totally new to me. Now almost seven years later, I’ve been able to host a podcast that went nearly 200 episodes, relaunch a cybersecurity newsletter, researched malicious Facebook groups trading stolen personal information, and I’ve even learned how to write a ClamAV signature. 

Unfortunately, this week is my last at Talos, but far from my last in cybersecurity. I’m off to a new adventure, but I wanted to take the space here to talk about what I’ve learned in my career at Talos.  

I think that this is a good lesson for anyone reading this: If you want to work in cybersecurity, you can, no matter what your background or education is. I’ve met colleagues across Talos who previously studied counterterrorism operations, German and Russian history, and political science. And I walked into my first day on the job knowing next to nothing about cybersecurity. I knew I could write, and I knew I could help Talos tell their story (and clean up the occasional passive voice in their blog posts). But I had never heard of a remote access trojan before.  

I hope these lessons resonate with you, your team, or the next person you think about hiring into the cybersecurity industry.  

1.  **You can’t do any of this without people.** This has become extraordinarily relevant this year with the advent of AI. I personally have beef with the term “AI” anyway because we’ve been using machine learning in cybersecurity for years now, which is essentially what we’re using the “AI” buzzword to mean now. But at the end of the day, people are what makes cybersecurity detection work in the first place. If you don’t have a team that’s ready to put in the work necessary to write, test and improve the intelligence that goes into security products (AI or not), you’re doomed. Any of these tools are only as good as the people who put the information into them. I’ve been beyond impressed with the experience, work ethic, and knowledge that everyone in Talos has. They are what makes the engine run, and none of this would work without them. 
2.  **You can carve out your own niche in cybersecurity.** That said, you don’t have to know how to code to work in cybersecurity if you don’t want to. Anyone can carve out their own niche in the space with their own skillset. I still barely know how to write Python, but I’ve been able to use the skills that I do have (research, writing, storytelling, audio editing, etc.) to carve out my space in cybersecurity. I can speak intelligently about security problems and solutions with my colleagues without needing to know how to reverse-engineer a piece of malware. And even on the technical side of things, everyone can carve out their own specialty. Talos has experts on email spam, and even specific types of email spam, that their colleagues may not know anything about. Others specialize in certain geographic areas because they can speak the language there and can peel back an additional layer that non-native speakers can’t.  
3.  **Be a sponge.** Going back to the opening of this week’s newsletter, I needed to ask hundreds of questions in my first few months at Talos. It took me a good amount of time to get over my fear of looking stupid, and that held me back early on from having more intelligent conversations with my teammates because I would keep questions inside or just assume that Google had the right answers. No matter how many years you’ve been in the security space, there is always something new to learn. Never assume you know everything there is to know on a given topic. If you are a sponge for information, you never know what new skills you can pick up along the way. When I graduated from college with a journalism degree, I never would have believed you if you told me at the time that I’d be needing to understand how atomic clocks keep power grids running. But here we are. 

The Threat Source newsletter will be off for a few weeks while it undergoes a revamp, and it’ll be back with a new look.  

I want to thank everyone who has enabled me to grow and shape this newsletter over the years, growing it to thousands of subscribers. And, of course, thanks to the readers who have engaged, read and shared over the years.  

**The one big thing **

Cisco Talos has observed a new wave of attacks active since at least late 2023, from a Russian-speaking group we track as “UAT-5647” against Ukrainian government entities and unknown Polish entities. The latest series of attacks deploys an updated version of the RomCom malware we track as “SingleCamper.” This version is loaded directly from the registry into memory and uses a loopback address to communicate with its loader. 

**Why do I care? **

UAT-5647 has long been considered a multi-motivational threat actor performing ransomware and espionage-oriented attacks. However, in recent months, it has accelerated its attacks with a clear focus on establishing long–term access for exfiltrating data of strategic interest to it. UAT-5647 has also evolved its tooling to include four distinct malware families: two downloaders we track as RustClaw and MeltingClaw, a RUST-based backdoor we call DustyHammock, and a C++-based backdoor we call ShadyHammock. 

**So now what? **

Cisco Talos has released several Snort rules and ClamAV signatures to detect and defend against the several malware families that UAT-5647 uses.  

**Top security headlines of the week **

**Government and security officials are still unraveling what to make of recent revelations around multiple Chinese-state-sponsored actors infiltrating U.S. networks.** Most recently, Salt Typhoon was unveiled as a new actor that may have accessed foreign intelligence surveillance systems and electronic communications that some ISPs collect. like Verizon and AT&T collect based on U.S. court orders. The actor reportedly accessed highly sensitive intelligence and law enforcement data. This followed on reports earlier this year of other Chinese state-sponsored actors Volt Typhoon and Flax Typhoon, which targeted U.S. government networks and systems on military bases. One source told the Wall Street Journal that the latest discovery of Salt Typhoon could be “potentially catastrophic.” The actor allegedly gained access to Verizon, AT&T and Lumen Technologies by exploiting systems those companies use to comply with the U.S. CALEA act, which essentially legalizes wiretapping when required by law enforcement. (Axios, Tech Crunch) 

**Chip maker Qualcomm says adversaries exploited a zero-day vulnerability in dozens of its chipsets used in popular Android devices.** While few details are currently available regarding the vulnerability, CVE-2024-43047, researchers at Google and Amnesty International say they are working with Qualcomm to remediate and responsibly disclose more information. Qualcomm listed 64 different chipsets as being affected by the vulnerability, including the company’s Snapdragon 8 mobile platform, which is used many Android phones, including some made by Motorola, Samsung and ZTE. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also added the issue to its Known Exploited Vulnerabilities catalog, indicating they can confirm it’s been actively exploited in the wild. Qualcomm said it issued a fix in September, and it is now on the device manufacturers to roll out patches to their customers for affected devices. (Android Police, Tech Crunch) 

**As many as 14,000 medical devices across the globe are online and vulnerable to a bevy of security vulnerabilities and exploits, according to a new study.** Security research firm Censys recently found the devices exposed, which “greatly raise the risk of unauthorized access and exploitation.” Forty-nine percent of the exposed devices are located in the U.S. America’s decentralized health care system is largely believed to affect the amount of vulnerable devices, because there is less coordinaton to isolate the devices or patch them when vulnerabilities are disclosed, unlike countries like the U.K., where the health care system is solely organized and managed by the government. The Censys study found that many of the networks belonging to smaller health care organizations used residential ISPs, making them inherently less secure. Others set up devices and connected them to the internet without changing the preconfigured credentials or leaving their connections unencrypted. Others had simply been misconfigured. Open DICOM and DICOM-enabled web interfaces that are intended to share and view medical images were responsible for 36 percent of the exposures, with 5,100 IPs hosting these systems. (CyberScoop, Censys) 

**Can’t get enough Talos? **

*   Attackers Delight: Why Does Healthcare See So Many Attacks? 
*   Ghidra data type archive for Windows driver functions 
*   Protecting major events: An incident response blueprint 

**Upcoming events where you can find Talos**

**MITRE ATT&CKcon 5.0** **(Oct. 22 - 23)** 

_McLean, Virginia and Virtual_

Nicole Hoffman and James Nutland will provide a brief history of Akira ransomware and an overview of the Linux ransomware landscape. Then, morph into action as they take a technical deep dive into the latest Linux variant using the ATT&CK framework to uncover its techniques, tactics and procedures.

**it-sa Expo & Congress** **(Oct. 22 - 24)** 

_Nuremberg, Germany_

**White Hat Desert Con** **(Nov. 14)** 

_Doha, Qatar_

**misecCON** **(Nov. 22)** 

_Lansing, Michigan_

Terryn Valikodath from Cisco Talos Incident Response will explore the core of DFIR, where digital forensics becomes detective work and incident response turns into firefighting.

**Most prevalent malware files from Talos telemetry over the past week **

_There is no new data to report this week. This section will be overhauled in the next edition of the Threat Source newsletter._

What I’ve learned in my first 7-ish years in cybersecurity

The Russian threat actor known as RomCom has been linked to a new wave of cyber attacks aimed at Ukrainian government agencies and unknown Polish entities since at least late 2023.
The intrusions are characterized by the use of a variant of the RomCom RAT dubbed SingleCamper (aka SnipBot or RomCom 5.0), said Cisco Talos, which is monitoring the activity cluster under the moniker UAT-5647.
"This

Threat Intelligence / Malware

The Russian threat actor known as RomCom has been linked to a new wave of cyber attacks aimed at Ukrainian government agencies and unknown Polish entities since at least late 2023.

The intrusions are characterized by the use of a variant of the RomCom RAT dubbed SingleCamper (aka SnipBot or RomCom 5.0), said Cisco Talos, which is monitoring the activity cluster under the moniker UAT-5647.

"This version is loaded directly from the registry into memory and uses a loopback address to communicate with its loader," security researchers Dmytro Korzhevin, Asheer Malhotra, Vanja Svajcer, and Vitor Ventura noted.

RomCom, also tracked as Storm-0978, Tropical Scorpius, UAC-0180, UNC2596, and Void Rabisu, has engaged in multi-motivational operations such as ransomware, extortion, and targeted credential gathering since its emergence in 2022.

It's been assessed that the operational tempo of their attacks has increased in recent months with an aim to set up long-term persistence on compromised networks and exfiltrate data, suggesting a clear espionage agenda.

To that end, the threat actor is said to be "aggressively expanding their tooling and infrastructure to support a wide variety of malware components authored in diverse languages and platforms" such as C++ (ShadyHammock), Rust (DustyHammock), Go (GLUEEGG), and Lua (DROPCLUE).

The attack chains start with a spear-phishing message that delivers a downloader -- either coded in C++ (MeltingClaw) or Rust (RustyClaw) -- which serves to deploy the ShadyHammock and DustyHammock backdoors, respectively. In parallel, a decoy document is displayed to the recipient to maintain the ruse.

While DustyHammock is engineered to contact a command-and-control (C2) server, run arbitrary commands, and download files from the server, ShadyHammock acts as a launchpad for SingleCamper as well as listening for incoming commands.

Despite's ShadyHammock additional features, it's believed that it's a predecessor to DustyHammock, given the fact that the latter was observed in attacks as recently as September 2024.

SingleCamper, the latest version of RomCom RAT, is responsible for a wide range of post-compromise activities, which entail downloading the PuTTY's Plink tool to establish remote tunnels with adversary-controlled infrastructure, network reconnaissance, lateral movement, user and system discovery, and data exfiltration.

"This specific series of attacks, targeting high profile Ukrainian entities, is likely meant to serve UAT-5647's two-pronged strategy in a staged manner – establish long-term access and exfiltrate data for as long as possible to support espionage motives, and then potentially pivot to ransomware deployment to disrupt and likely financially gain from the compromise," the researchers said.

"It is also likely that Polish entities were also targeted, based on the keyboard language checks performed by the malware."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Russian RomCom Attacks Target Ukrainian Government with New SingleCamper RAT Variant

An advanced persistent threat (APT) actor with suspected ties to India has sprung forth with a flurry of attacks against high-profile entities and strategic infrastructures in the Middle East and Africa.
The activity has been attributed to a group tracked as SideWinder, which is also known as APT-C-17, Baby Elephant, Hardcore Nationalist, Leafperforator, Rattlesnake, Razor Tiger, and T-APT-04.
"

An advanced persistent threat (APT) actor with suspected ties to India has sprung forth with a flurry of attacks against high-profile entities and strategic infrastructures in the Middle East and Africa.

The activity has been attributed to a group tracked as SideWinder, which is also known as APT-C-17, Baby Elephant, Hardcore Nationalist, Leafperforator, Rattlesnake, Razor Tiger, and T-APT-04.

"The group may be perceived as a low-skilled actor due to the use of public exploits, malicious LNK files and scripts as infection vectors, and the use of public RATs, but their true capabilities only become apparent when you carefully examine the details of their operations," Kaspersky researchers Giampaolo Dedola and Vasily Berdnikov said.

Targets of the attacks include government and military entities, logistics, infrastructure and telecommunications companies, financial institutions, universities, and oil trading companies located in Bangladesh, Djibouti, Jordan, Malaysia, the Maldives, Myanmar, Nepal, Pakistan, Saudi Arabia, Sri Lanka, Turkey, and the U.A.E.

SideWinder has also been observed setting its sights on diplomatic entities in Afghanistan, France, China, India, Indonesia, and Morocco.

The most significant aspect of the recent campaign is the use of a multi-stage infection chain to deliver a previously unknown post-exploitation toolkit called StealerBot.

It all commences with a spear-phishing email with an attachment – either a ZIP archive containing a Windows shortcut (LNK) file or a Microsoft Office document – that, in turn, executes a series of intermediate JavaScript and .NET downloaders to ultimately deploy the StealerBot malware.

The documents rely on the tried-and-tested technique of remote template injection to download an RTF file that is stored on an adversary-controlled remote server. The RTF file, for its part, triggers an exploit for CVE-2017-11882, to execute JavaScript code that's responsible for running additional JavaScript code hosted on mofa-gov-sa.direct888\[.\]net.

On the other hand, the LNK file employs the mshta.exe utility, a Windows-native binary designed to execute Microsoft HTML Application (HTA) files, to run the same JavaScript code hosted on a malicious website controlled by the attacker.

The JavaScript malware serves to extract an embedded Base64-encoded string, a .NET library named "App.dll" that collects system information and functions as a downloader for a second .NET payload from a server ("ModuleInstaller.dll").

ModuleInstaller is also a downloader, but one that's equipped to maintain persistence on the host, execute a backdoor loader module, and retrieve next-stage components. But in an interesting twist, the manner in which they are run is determined by what endpoint security solution is installed on the host.

"The Bbckdoor loader module has been observed since 2020," the researchers said, pointing out its ability to evade detection and avoid running in sandboxed environments. "It has remained almost the same over the years."

"It was recently updated by the attacker, but the main difference is that old variants are configured to load the encrypted file using a specific filename embedded in the program, and the latest variants were designed to enumerate all the files in the current directory and load those without an extension."

The end goal of the attacks is to drop StealerBot via the Backdoor loader module. Described as a .NET-based "advanced modular implant," it is specifically geared to facilitate espionage activities by fetching several plugins to -

*   Install additional malware using a C++ downloader
*   Capture screenshots
*   Log keystrokes
*   Steal passwords from browsers
*   Intercept RDP credentials
*   Steal files
*   Start reverse shell
*   Phish Windows credentials, and
*   Escalate privileges bypassing User Account Control (UAC)

"The implant consists of different modules loaded by the main 'Orchestrator,' which is responsible for communicating with the \[command-and-control\] and executing and managing the plugins," the researchers said. "The Orchestrator is usually loaded by the backdoor loader module."

Kaspersky said it detected two installer components – named InstallerPayload and InstallerPayload\_NET – that don't feature as part of the attack chain, but are used to install StealerBot to likely update to a new version or infect another user.

The expansion of SideWinder's geographic reach and its use of a new sophisticated toolkit comes as cybersecurity company Cyfirma detailed new infrastructure running the Mythic post-exploitation framework and linked to Transparent Tribe (aka APT36), a threat actor believed to be of Pakistani origin.

"The group is distributing malicious Linux desktop entry files disguised as PDFs," it said. "These files execute scripts to download and run malicious binaries from remote servers, establishing persistent access and evading detection."

"APT36 is increasingly targeting Linux environments due to their widespread use in Indian government sectors, particularly with the Debian-based BOSS OS and the introduction of Maya OS."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

SideWinder APT Strikes Middle East and Africa With Stealthy Multi-Stage Attack

By Dmytro Korzhevin, Asheer Malhotra, Vanja Svajcer and Vitor Ventura. 


Cisco Talos has observed a new wave of attacks active since at least late 2023, from a Russian speaking group we track as “UAT-5647”, against Ukrainian government entities and unknown Polish entities. 
UAT-5647 is also known

UAT-5647 targets Ukrainian and Polish entities with RomCom malware variants

A MOIS-aligned threat group has been using Microsoft Exchange servers to exfiltrate sensitive data from Gulf-state government agencies.

Source: Daniren via Alamy Stock Photo

An Iranian threat actor has been ramping up its espionage against Gulf-state government entities, particularly those within the United Arab Emirates (UAE).

APT34 (aka Earth Simnavaz, OilRig, MuddyWater, Crambus, Europium, Hazel Sandstorm) is a group that has been previously tied to the Iranian Ministry of Intelligence and Security (MOIS). It's known to spy on high-value targets in major industries across the Middle East: oil and gas; finance; chemicals; telecommunications; other forms of critical infrastructure; and governments. Its attacks have demonstrated a sophistication befitting its targets, with suites of custom malware and an ability to evade detection for long periods of time.

Recently, Trend Micro has observed a "notable rise" in APT34's espionage and theft of sensitive information from government agencies, most notably within the UAE. These newer cases have featured a new backdoor, "StealHook," which uses Microsoft Exchange servers to exfiltrate credentials useful for escalating privileges and performing follow-on supply chain attacks.

**APT34's Latest Activity**

Recent APT34 attacks have begun with Web shells deployed to vulnerable Web servers. These Web shells allow the hackers to run PowerShell code, and download or upload files from or to the compromised server.

One tool it downloads, for example, is ngrok, legitimate reverse proxy software for creating secure tunnels between local machines and the broader Internet. APT34 weaponizes ngrok as a means of command-and-control (C2) that tunnels through firewalls and other network security barricades, facilitating its path to a network's Domain Controller.

"One of the most impressive feats we've observed from APT34 is their skill in crafting and fine-tuning stealthy exfiltration channels that allow them to steal data from high profile sensitive networks," notes Sergey Shykevich, threat intelligence group manager at Check Point Research, which recently uncovered an APT34 espionage campaign against Iraqi government ministries. In its prior campaigns, the group has mostly secured its C2 communications via DNS tunneling and compromised email accounts.

To obtain greater privileges on infected machines, APT34 has been exploiting CVE-2024-30088. Discovered through the Trend Micro Zero Day Initiative (ZDI) and patched back in June, CVE-2024-30088 allows attackers to gain system-level privileges in Windows. It affects multiple versions of Windows 10 and 11, and Windows Server 2016, 2019, and 2022, and received a "high" severity 7 out of 10 score in the Common Vulnerability Scoring System (CVSS). That rating would've been higher, but for the fact that it requires local access to a system, and isn't simple to exploit.

APT34's best trick, though, is its technique for abusing Windows password filters.

Windows allows organizations to implement custom password security policies — for example, to enforce good hygiene among users. APT34 drops a malicious DLL into the Windows system directory, registering it like one would a legitimate password filter. That way, if a user changes their password — a good cybersecurity practice to do often — APT34's malicious filter will intercept it, in plaintext.

To complete its attack, APT34 calls on its newest backdoor, StealHook. StealHook retrieves domain credentials that allow it into an organization's Microsoft Exchange servers. Using the targeted organization's servers and stolen email accounts, the backdoor can now exfiltrate stolen credentials and other sensitive government data via email attachments.

**Follow-On Risks of APT34 Attacks**

"The technique of abusing Exchange for data exfiltration and C&C is very effective and hard to detect," says Mohamed Fahmy, cyber threat intelligence researcher at Trend Micro. "It has been used for years in \[APT34's\] Karkoff backdoor, and most of the time it evades detection."

Besides exfiltrating sensitive account credentials and other government data, APT34 has also been known to leverage this level of access in one organization to carry out follow-on attacks against others tied to it.

For some time now, Fahmy says, the threat actor has "fully compromised a specific organization, and then used its servers to initiate a new attack against another organization (having a trust relationship with the infected one). In this case, the threat actor can leverage Exchange to send phishing emails."

He adds that government agencies in particular often relate to one another closely, "so the threat actor could compromise this trust."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Iran's APT34 Abuses MS Exchange to Spy on Gulf Gov'ts

Challenges with cybercrime prosecution are making it easier for attackers to act with impunity. Law enforcement needs to catch up.

Source: Tero Vesalainen via Alamy Stock Photo

COMMENTARY

Historically, cybercriminals have always had an edge over law enforcement. It may take a few hours to steal thousands of credit cards after exploiting a SQL injection flaw, but the subsequent investigation and prosecution of the cybercriminals can take years — and still fail.

Europol described the challenges in investigating and prosecuting cybercrime — the collection and preservation of digital evidence, difficulty tracing and identifying attackers, and legal and judicial hurdles associated with cross-border investigations — back in 2019. These challenges remain relevant in 2024.

**Challenges That Law Enforcement Faces**

While many countries have one or more specialized law enforcement agencies (LEAs) or police units capable of investigating cybercrime, the general trend is to commingle computer-enabled crimes (cybercrimes) with cyberattacks and send them all to a single agency.

Cybercrimes, which include online dating scams and other types of digital fraud that rely on social engineering, cause damages ranging from 100 to several thousand dollars. Compare that with cyberattacks — which require fairly advanced tech skills and resources from cyber gangs — such as ransomware attacks on critical national infrastructure and advanced persistent threats aimed at stealthily stealing valuable trade secrets from large companies or classified information from governmental agencies. When a single agency is tasked with handling all types of digital crimes, it is unsurprising that just the initial triage of incoming cases can consume virtually all agency resources.

In contrast to overwhelmed LEAs dealing with all kinds of tasks simultaneously using extremely modest resources, modern cyber gangs usually have narrow specializations, such as vulnerability research and exploit development, where they truly excel technically and financially. Cyber mercenaries may use breached LEAs as proxies to attack other systems and slow down investigations, while state-backed groups may exploit backdoored LEAs for perfidious attacks trying to frame their political enemies. On the Dark Web, the number of announcements selling access to backdoored LEA systems or networks is steadily growing.

Despite national security being a hot topic for lawmakers on both sides of the Atlantic — and the increased funding that attention brings — specialized LEAs or units dedicated to tackling cybercrime still remain underfunded compared to their highly sophisticated, extraordinarily well-prepared, and well-funded adversaries.

Insufficient funding makes it harder to attract talented individuals to work on defense. In Western countries, state agencies struggle to compete with the deep-pocketed private sector for talented cybersecurity professionals, who can be swayed by perks unavailable to most government employees, such as higher salaries, longer leaves, and working from home. The situation is even worse in other countries: Young graduates with good technical skills can earn their annual salaries in a couple of weeks working for cybercrime conglomerates that actively prospect and recruit new members. In January 2024, FBI director Christopher Wray estimated that the number of hackers in China outnumbers all available FBI cyber personnel by at least 50 to 1.

Likewise, forensic tools and special equipment designed to bypass encryption on mobile devices or acquire digital evidence from a multicloud environment are also quite expensive, oftentimes being affordable only to leading national agencies or central forensic labs that serve thousands of requests from an entire country. As a result, a backlog of cybercrime investigations is building relentlessly, undermining people's trust in their government's capacity to protect their privacy and property on the Internet.

**Advantages for the Cyber Gangs**

International collaboration and judicial assistance in cybercrime investigation has never been simple. The Budapest Convention of 2001 is probably the most important international treaty designed to combat cross-border cybercrime. But even after the enactment of the Second Additional Protocol, the convention has fallen short of its original goals for political and organizational reasons. The recently proposed UN Treaty on Cybercrime is unlikely to do much better amid the unfolding geopolitical crises and the weakening force of international law.

The problem is that some countries, even after ratifying a treaty, are very selective when complying with the underlying duties and obligations owed to other signatories. They frequently ignore or simply delay required actions to the extent that, by the time they're finally performed, they are worthless — for instance, seizing volatile digital evidence several years after receiving a mutual legal assistance (MLAT) request from another sovereign state.

Indeed, some countries are considered safe harbors for cyber gangs that cooperate with, or work for, the government. These barons enjoy a luxurious lifestyle, safe in the knowledge that they will never be prosecuted domestically, let alone extradited, for cybercrimes that do not conflict with state public policy. Such cybercrime havens create a strong feeling of impunity among perpetrators, who believe — usually accurately — that they are above the law. Even if they are apprehended, cybercriminals usually get lenient punishments for the financial damage caused, compared to the decades-long and even life sentences for leaders of drug cartels or masterminds of Ponzi schemes.

Alarmingly, as the World Economic Forum reports, cybercrime has started to merge with organized and violent crime — for example, exploiting forced labor to staff large-scale online fraud and extortion campaigns.

**How Law Enforcement Can Make Up Ground**

To win against the seemingly invincible cybercrime hydra, governments should better organize their national cybercrime LEAs. Here's what they need to do:

*   Create specialization and internal segmentation.
    
*   Allocate additional funding to these agencies.
    
*   Form more public-private partnerships to jointly trace and dismantle cyber gangs.
    
*   Revise national legislation, including sentencing guidelines, for cybercrimes to boost the deterrence effect.
    

Otherwise, in a few years, the Internet may become an uncontrollable zone of lawlessness and chaos, co-managed by rival cyber gangs.

For a longer version of this article, please contact the author.

**About the Author**

Partner, Platt Law

Dr. Ilia Kolochenko is a Swiss expert in cybersecurity, cybercrime investigation, and cyber law. He is also a lawyer admitted to the DC Bar in Washington, DC. His legal practice is mainly focused on data protection, privacy, and cybersecurity law. Dr. Ilia Kolochenko currently serves as a Chief Architect and CEO at ImmuniWeb, a global application security company headquartered in Geneva, Switzerland. He is also a Partner & Cybersecurity Practice Lead at a US law firm with offices in New York and Washington. As part of his academic activities, Dr. Kolochenko is an Adjunct Professor of Cybersecurity Practice & Cyber Law at Capitol Technology University in Maryland, and a Faculty Member at the DC Bar Continuous Legal Education (CLE) Program, where he teaches a cybersecurity and privacy course for lawyers and other legal and judicial professionals.

Dr. Ilia Kolochenko has an LL.M. (Master of Laws) degree in Information Technology Law from the University of Edinburgh Law School, an M.Sc. in Criminal Justice (Cybercrime Investigations & Cybersecurity) from Boston University, and a Ph.D. in Computer Science from Capitol Technology University. He currently completes an advanced LL.M. in Cyber, Information and National Security (CINS) at George Mason University, Antonin Scalia Law School.

He is a Fellow of Information Privacy (FIP) and a Privacy Law Specialist (PLS) at the International Association of Privacy Professionals (IAPP), two most advanced credentials in privacy practice and privacy law by the IAPP, respectively, while also holding AIGP, CIPP/A, CIPP/C, CIPP/E, CIPP/US, CIPM, and CIPT privacy certifications. Additionally, he earned numerous offensive and defensive security certifications by the Global Information Assurance Certification (GIAC) after ongoing training in advanced cloud security, cyber operations, and investigations at SANS Institute.

Dr. Ilia Kolochenko currently serves a Vice-Chair of the Information Security Committee at the American Bar Association (ABA), also being a Fellow at the European Law Institute (ELI) and a Member of the Cybercrime Investigation & Cybersecurity (CIC) Center at Boston University. Additionally, Dr. Kolochenko is part of the Europol's Data Protection Experts Network (EDEN), INTERPOL's Digital Forensics Expert Group (DFEG), National Association of Criminal Defense Lawyers (NACDL), SANS CISO Network, and the EU CyberNet.

Dr. Ilia Kolochenko has authored over 75 articles on cybersecurity, computer crime investigations, cyber law, and artificial intelligence. His interviews and expert comments have been published in over 250 media across Europe and the US; he is also a frequent lecturer at cybersecurity, law enforcement, and legal conferences around the globe.

Cyber Gangs Aren't Afraid of Prosecution

The long-active, India-sponsored cyber-threat group targeted multiple entities across Asia, Africa, the Middle East, and even Europe in a recent attack wave that demonstrated the use of a previously unknown post-exploit tool called StealerBot.

Source: Papilio via Alamy Stock Photo

The elusive, India-based advanced persistent threat (APT) group SideWinder has unleashed a new flurry of attacks against high-profile entities and strategic infrastructure targets that span numerous countries in Asia, the Middle East, Africa, and even Europe, signaling an expansion of its geographic reach. The attacks also show the group is using an advanced post-exploitation toolkit dubbed "StealerBot" to further its cyber-espionage activity, researchers have found.

The state-sponsored group — active since 2012, publicly outed in 2018, and mainly known for attacking rivals in Pakistan, Afghanistan, China, and Nepal — has demonstrated a widening of its geographic scope in the last six months. The latest attacks, observed by researchers at Kaspersky and outlined in a post on the SecureList blog, for the first time revealed some of SideWinder's post-compromise activities, which have remained largely unknown despite years of study by researchers.

Specifically, SideWinder has lately targeted entities in Bangladesh, Djibouti, Jordan, Malaysia, the Maldives, Myanmar, Nepal, Pakistan, Saudi Arabia, Sri Lanka, Turkey, and the United Arab Emirates in the attacks. Affected sectors are varied, and include: government and military entities, logistics, infrastructure and telecommunications companies, financial institutions, universities, and oil trading companies. Attackers also targeted diplomatic entities in Afghanistan, France, China, India, Indonesia, and Morocco.

As for StealerBot, the researchers described the malware — which they believe is the main post-exploitation tool used by SideWinder — as "an advanced modular implant designed specifically for espionage activities."

**SideWinder's Typical Cyberattack Chain**

Though geography and post-exploit tactics vary, SideWinder used its typical attack chain in the latest spate of attacks. The group started with a spear-phishing email with an attachment, which is usually a Microsoft OOXML document — ie, .docx or .xlsx — or a .zip archive, which in turn contains a malicious .lnk file. This file triggers a multistage infection chain with various JavaScript and .NET downloaders, which ultimately ends with the installation of the StealerBot espionage tool for further activity.

The documents used in the spear-phishing part of the campaign often contain information obtained from public websites, "which is used to lure the victim into opening the file and believing it to be legitimate," Kaspersky lead security researchers Giampaolo Dedola and Vasily Berdnikov wrote in the post. In this case, some of the email lures included public photos, images, and references to diplomatic and other activity that might be of interest to the intended target.

All the documents in the attacks use the remote template injection technique to download an .rtf file that is stored on a remote server controlled by the attackers. These files are specifically crafted to exploit CVE-2017-11882, a 7-year-old memory corruption vulnerability in Microsoft Office software, to download further shellcode and malware that uses various tricks to avoid sandboxes and complicate analysis, the researchers said. The ultimate purpose of the malware is to extricate data from infected systems and conduct cyberespionage.

**New StealerBot Modular Malware**

StealerBot, so-named by the attacker, is a modular implant developed with .NET to perform espionage activities. Rather than loading the malware's components on the filesystem of the infected machine, as is typical, the attack chain observed by the researchers loads them into memory by one of the numerous modules of the malware, which in this case acts as a backdoor loader that attackers dubbed "ModuleInstaller."

That module is a downloader that deploys the Trojan that SideWinder uses to maintain a foothold on compromised machines. It's a tool previously wielded by the group and observed by Kaspersky, but not unveiled publicly until now, the researchers noted.

The attackers designed ModuleInstaller to drop at least four files: a legitimate and signed application used to sideload a malicious library; a .config manifest embedded in the program as a resource and required by the next stage to properly load additional modules; a malicious library; and an encrypted payload. "We observed various combinations of the dropped files," the researchers noted.

Another module, called the "Orchestrator," is the main component of the malware that communicates with SideWinder command-and-control (C2) and executes and manages the other malware plugins. All told, StealerBot includes various modules for: installing additional malware, capturing screenshots, logging keystrokes, stealing passwords from browsers, stealing files, phishing Windows credentials, and escalating privileges by bypassing user account control (UAC), among other activities.

**Largely Underestimated Attackers**

SideWinder long has been perceived as a low-skilled threat group due to its use of public exploits and remote access Trojans (RATs), as well as malicious .lnk files and scripts as infection vectors, according to Kaspersky. However, they should not be underestimated by defenders, as "their true capabilities only become apparent when you carefully examine the details of their operations," the researchers wrote.

As the new wave of attacks shows "a significant expansion of the group’s activities," those who may be targeted should be on alert and aware of the threat posed by the group, they said.

To help defenders recognize the presence of SideWinder and its tool StealerBot on their networks, the researchers included a comprehensive list of indicators of compromise (IoCs) for various stages of the attack in their post.

The IoCs include references to malicious documents, and .rtf and .lnk files, as well as specific IoCs to various modules of StealerBot. A long list of malicious domains and IPs associated with the attacks also is included in the post.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Tag

#backdoor