Feb 19, 2024NewsroomMalware / Cyber Espionage

The Iranian-origin threat actor known as Charming Kitten has been linked to a new set of attacks aimed at Middle East policy experts with a new backdoor called BASICSTAR by creating a fake webinar portal.

Charming Kitten, also called APT35, CharmingCypress, Mint Sandstorm, TA453, and Yellow Garuda, has a history of orchestrating a wide range of social engineering campaigns that cast a wide net in their targeting, often singling out think tanks, NGOs, and journalists.

“CharmingCypress often employs unusual social-engineering tactics, such as engaging targets in prolonged conversations over email before sending links to malicious content,” Volexity researchers Ankur Saini, Callum Roxan, Charlie Gardner, and Damien Cash said.

Last month, Microsoft revealed that high-profile individuals working on Middle Eastern affairs have been targeted by the adversary to deploy malware such as MischiefTut and MediaPl (aka EYEGLASS) that are capable of harvesting sensitive information from a compromised host.

The group, assessed to be affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC), has also distributed several other backdoors such as PowerLess, BellaCiao, POWERSTAR (aka GorjolEcho), and NokNok over the past year, emphasizing its determination to continue its cyber onslaught, adapting its tactics and methods despite public exposure.

The phishing attacks observed between September and October 2023 involved the Charming Kitten operators posing as the Rasanah International Institute for Iranian Studies (IIIS) to initiate and build trust with targets.

The phishing attempts are also characterized by the use of compromised email accounts belonging to legitimate contacts and multiple threat-actor-controlled email accounts, the latter of which is called Multi-Persona Impersonation (MPI).

The attack chains typically employ RAR archives containing LNK files as a starting point to distribute malware, with the messages urging prospective targets to join a fake webinar about topics that are of interest to them. One such multi-stage infection sequence has been observed to deploy BASICSTAR and KORKULOADER, a PowerShell downloader script.

BASICSTAR, a Visual Basic Script (VBS) malware, is capable of gathering basic system information, remotely executing commands relayed from a command-and-control (C2) server, and downloading and displaying a decoy PDF file.

What’s more, some of these phishing attacks are engineered to serve different backdoors depending on the machine’s operating system. While Windows victims are compromised with POWERLESS, Apple macOS victims are targeted with an infection chain culminating in NokNok via a functional VPN application that’s laced with malware.

“This threat actor is highly committed to conducting surveillance on their targets in order to determine how best to manipulate them and deploy malware,” the researchers said. “Additionally, few other threat actors have consistently churned out as many campaigns as CharmingCypress, dedicating human operators to support their ongoing efforts.”

The disclosure comes as Recorded Future uncovered IRGC’s targeting of Western countries using a network of contracting companies that also specialize in exporting technologies for surveillance and offensive purposes to countries like Iraq, Syria, and Lebanon.

The relationship between intelligence and military organizations and Iran-based contractors takes the form of various cyber centers that act as “firewalls” to conceal the sponsoring entity.

They include Ayandeh Sazan Sepher Aria (suspected to be associated with Emennet Pasargad), DSP Research Institute, Sabrin Kish, Soroush Saman, Mahak Rayan Afraz, and the Parnian Telecommunication and Electronic Company.

“Iranian contracting companies are established and run by a tight-knit network of personas, who, in some cases, represent the contractors as board members,” the company said. “The individuals are closely associated with the IRGC, and in some cases, are even representatives of sanctioned entities (such as the IRGC Cooperative Foundation).”

Feb 06, 2024NewsroomVulnerability / Cloud Security

Three new security vulnerabilities have been discovered in Azure HDInsight’s Apache Hadoop, Kafka, and Spark services that could be exploited to achieve privilege escalation and a regular expression denial-of-service (ReDoS) condition.

“The new vulnerabilities affect any authenticated user of Azure HDInsight services such as Apache Ambari and Apache Oozie,” Orca security researcher Lidor Ben Shitrit said in a technical report shared with The Hacker News.

The list of flaws is as follows –

• CVE-2023-36419 (CVSS score: 8.8) – Azure HDInsight Apache Oozie Workflow Scheduler XML External Entity (XXE) Injection Elevation of Privilege Vulnerability
• CVE-2023-38156 (CVSS score: 7.2) – Azure HDInsight Apache Ambari Java Database Connectivity (JDBC) Injection Elevation of Privilege Vulnerability
• Azure HDInsight Apache Oozie Regular Expression Denial-of-Service (ReDoS) Vulnerability (no CVE)

The two privilege escalation flaws could be exploited by an authenticated attacker with access to the target HDI cluster to send a specially crafted network request and gain cluster administrator privileges.

The XXE flaw is the result of a lack of user input validation that allows for root-level file reading and privilege escalation, while the JDBC injection flaw could be weaponized to obtain a reverse shell as root.

“The ReDoS vulnerability on Apache Oozie was caused by a lack of proper input validation and constraint enforcement, and allowed an attacker to request a large range of action IDs and cause an intensive loop operation, leading to a denial-of-service (DoS),” Ben Shitrit explained.

Successful exploitation of the ReDoS vulnerability could result in a disruption of the system’s operations, cause performance degradation, and negatively impact both the availability and reliability of the service.

Following responsible disclosure, Microsoft has rolled out fixes as part of updates released on October 26, 2023.

The development arrives nearly five months after Orca detailed a collection of eight flaws in the open-source analytics service that could be exploited for data access, session hijacking, and delivering malicious payloads.

In December 2023, Orca also highlighted a “potential abuse risk” impacting Google Cloud Dataproc clusters that take advantage of a lack of security controls in Apache Hadoop’s web interfaces and default settings when creating resources to access any data on the Apache Hadoop Distributed File System (HDFS) without any authentication.

Jan 19, 2024NewsroomMalware / Endpoint Security

Pirated applications targeting Apple macOS users have been observed containing a backdoor capable of granting attackers remote control to infected machines.

“These applications are being hosted on Chinese pirating websites in order to gain victims,” Jamf Threat Labs researchers Ferdous Saljooki and Jaron Bradley said.

“Once detonated, the malware will download and execute multiple payloads in the background in order to secretly compromise the victim’s machine.”

The backdoored disk image (DMG) files, which have been modified to establish communications with actor-controlled infrastructure, include legitimate software like Navicat Premium, UltraEdit, FinalShell, SecureCRT, and Microsoft Remote Desktop.

The unsigned applications, besides being hosted on a Chinese website named macyy[.]cn, incorporate a dropper component called “dylib” that’s executed every time the application is opened.

The dropper then acts as a conduit to fetch a backdoor (“bd.log”) as well as a downloader (“fl01.log”) from a remote server, which is used to set up persistence and fetch additional payloads on the compromised machine.

The backdoor – written to the path “/tmp/.test” – is fully-featured and built atop an open-source post-exploitation toolkit called Khepri. The fact that it is located in the “/tmp” directory means it will be deleted when the system shuts down.

That said, it will be created again at the same location the next time the pirated application is loaded and the dropper is executed.

On the other hand, the downloader is written to the hidden path “/Users/Shared/.fseventsd,” following which it creates a LaunchAgent to ensure persistence and sends an HTTP GET request to an actor-controlled server.

While the server is no longer accessible, the downloader is designed to write the HTTP response to a new file located at /tmp/.fseventsds and then launch it.

Jamf said the malware shares several similarities with ZuRu, which has been observed in the past spreading via pirated applications on Chinese sites.

“It’s possible that this malware is a successor to the ZuRu malware given its targeted applications, modified load commands and attacker infrastructure,” the researchers said.

Jan 18, 2024NewsroomCyber Espionage / Threat Intelligence

High-profile individuals working on Middle Eastern affairs at universities and research organizations in Belgium, France, Gaza, Israel, the U.K., and the U.S. have been targeted by an Iranian cyber espionage group called Mind Sandstorm since November 2023.

The threat actor “used bespoke phishing lures in an attempt to socially engineer targets into downloading malicious files,” the Microsoft Threat Intelligence team said in a Wednesday analysis, describing it as a “technically and operationally mature subgroup of Mind Sandstorm.”

The attacks, in select cases, involve the use of a previously undocumented backdoor dubbed MediaPl, indicating ongoing endeavors by Iranian threat actors to refine their post-intrusion tradecraft.

Mint Sandstorm, also known as APT35, Charming Kitten, TA453, and Yellow Garuda, is known for its adept social engineering campaigns, even resorting to legitimate but compromised accounts to send bespoke phishing emails to prospective targets. It’s assessed to be affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC).

The sub-cluster, per Redmond, engages in resource-intensive social engineering to single out journalists, researchers, professors, and other individuals with insights on security and policy issues of interest to Tehran.

The latest intrusion set is characterized by the use of lures pertaining to the Israel-Hamas war, sending innocuous emails under the guise of journalists and other high-profile individuals to build rapport with targets and establish a level of trust before attempting to deliver malware to targets.

Microsoft said it’s likely the campaign is an effort undertaken by the nation-state threat actor to collect perspectives on events related to the war.

The use of breached accounts belonging to the people they sought to impersonate in order to send the email messages is a new Mind Sandstorm tactic not seen before, as is its use of the curl command to connect to the command-and-control (C2) infrastructure.

Should the targets engage with the threat actor, they are sent a follow-up email containing a malicious link that points to a RAR archive file, which, when opened, leads to the retrieval of Visual Basic scripts from the C2 server to persist within the targets’ environments.

The attack chains further pave the way for custom implants like MischiefTut or MediaPl, the former of which was first disclosed by Microsoft in October 2023.

Implemented in PowerShell, MischiefTut is a basic backdoor that can run reconnaissance commands, write outputs to a text file, and download additional tools on a compromised system. The first recorded use of the malware dates back to late 2022.

MediaPl, on the other hand, masquerades as Windows Media Player and is designed to transmit encrypted communications to its C2 server and launch command(s) it has received from the server.

“Mint Sandstorm continues to improve and modify the tooling used in targets’ environments, activity that might help the group persist in a compromised environment and better evade detection,” Microsoft said.

“The ability to obtain and maintain remote access to a target’s system can enable Mint Sandstorm to conduct a range of activities that can adversely impact the confidentiality of a system.”

The disclosure comes as Dutch newspaper De Volkskrant revealed earlier this month that Erik van Sabben, a Dutch engineer recruited by Israel and U.S. intelligence services, may have used a water pump to deploy an early variant of the now-infamous Stuxnet malware in an Iranian nuclear facility sometime in 2007.

Dec 18, 2023NewsroomEmail Security / Vulnerability

Technical details have emerged about two now-patched security flaws in Microsoft Windows that could be chained by threat actors to achieve remote code execution on the Outlook email service sans any user interaction.

“An attacker on the internet can chain the vulnerabilities together to create a full, zero-click remote code execution (RCE) exploit against Outlook clients,” Akamai security researcher Ben Barnea, who discovered the vulnerabilities, said in a two-part report shared with The Hacker News.

The security issues, which were addressed by Microsoft in August and October 2023, respectively, are listed below –

• CVE-2023-35384 (CVSS score: 5.4) – Windows HTML Platforms Security Feature Bypass Vulnerability
• CVE-2023-36710 (CVSS score: 7.8) – Windows Media Foundation Core Remote Code Execution Vulnerability

CVE-2023-35384 has been described by Akamai as a bypass for a critical security flaw that Microsoft patched in March 2023. Tracked as CVE-2023-23397 (CVSS score: 9.8), the flaw relates to a case of privilege escalation that could result in the theft of NTLM credentials and enable an attacker to conduct a relay attack.

Earlier this month, Microsoft, Proofpoint, and Palo Alto Networks Unit 42 revealed that a Russian threat actor known as APT28 (aka Forest Blizzard) has been actively weaponizing the bug to gain unauthorized access to victims’ accounts within Exchange servers.

It’s worth noting that CVE-2023-35384 is also the second patch bypass after CVE-2023-29324, which was also discovered by Barnea and subsequently remediated by Redmond as part of May 2023 security updates.

“We found another bypass to the original Outlook vulnerability — a bypass that once again allowed us to coerce the client to connect to an attacker-controlled server and download a malicious sound file,” Barnea said.

CVE-2023-35384, like CVE-2023-29324, is rooted in the parsing of a path by the MapUrlToZone function that could be exploited by sending an email containing a malicious file or a URL to an Outlook client.

“A security feature bypass vulnerability exists when the MSHTML platform fails to validate the correct Security Zone of requests for specific URLs. This could allow an attacker to cause a user to access a URL in a less restricted Internet Security Zone than intended,” Microsoft noted in its advisory.

In doing so, the vulnerability can not only be used to leak NTLM credentials, but can also be chained with the sound parsing flaw (CVE-2023-36710) to download a custom sound file that, when autoplayed using Outlook’s reminder sound feature, can lead to a zero-click code execution on the victim machine.

CVE-2023-36710 impacts the Audio Compression Manager (ACM) component, a legacy Windows multimedia framework that’s used to manage audio codecs, and is the result of an integer overflow vulnerability that occurs when playing a WAV file.

“Finally, we managed to trigger the vulnerability using the IMA ADP codec,” Barnea explained. “The file size is approximately 1.8 GB. By performing the math limit operation on the calculation we can conclude that the smallest possible file size with IMA ADP codec is 1 GB.”

To mitigate the risks, it’s recommended that organizations use microsegmentation to block outgoing SMB connections to remote public IP addresses. Additionally, it also advised to either disable NTLM, or add users to the Protected Users security group, which prevents the use of NTLM as an authentication mechanism.

Dec 21, 2023NewsroomZero-Day / Mobile Security

A new analysis of the sophisticated commercial spyware called Predator has revealed that its ability to persist between reboots is offered as an “add-on feature” and that it depends on the licensing options opted by a customer.

“In 2021, Predator spyware couldn’t survive a reboot on the infected Android system (it had it on iOS),” Cisco Talos researchers Mike Gentile, Asheer Malhotra, and Vitor Ventura said in a report shared with The Hacker News. “However, by April 2022, that capability was being offered to their customers.”

Predator is the product of a consortium called the Intellexa Alliance, which includes Cytrox (subsequently acquired by WiSpear), Nexa Technologies, and Senpai Technologies. Both Cytrox and Intellexa were added to the Entity List by the U.S. in July 2023 for “trafficking in cyber exploits used to gain access to information systems.”

The latest findings come more than six months after the cybersecurity vendor detailed the inner workings of Predator and its harmonious equation with another loader component called Alien.

“Alien is crucial to Predator’s successful functioning, including the additional components loaded by Predator on demand,” Malhotra told The Hacker News at the time. “The relationship between Alien and Predator is extremely symbiotic, requiring them to continuously work in tandem to spy on victims.”

Predator, which can target both Android and iOS, has been described as a “remote mobile extraction system” that’s sold on a licensing model that run into millions of dollars based on the exploit used for initial access and the number of concurrent infections, putting them out of reach of script kiddies and novice criminals.

Spyware such as Predator and Pegasus, which is developed by NSO Group, often rely on zero-day exploit chains in Android, iOS, and web browsers as covert intrusion vectors. But as Apple and Google continue to plug the security gaps, these exploit chains may be rendered ineffective, forcing them to go back to the drawing board.

However, it’s worth noting that the companies behind mercenary surveillance tools can also procure either full or partial exploit chains from exploit brokers and fashion them into an operational exploit that can be employed to effectively breach target devices.

Another key aspect of Intellexa’s business model is that offloads the work of setting up the attack infrastructure to the customers themselves, leaving it with room for plausible deniability should the campaigns come to light (as it inevitably does).

“The delivery of Intellexa’s supporting hardware is done at a terminal or airport,” the researchers said.

“This delivery method is known as Cost Insurance and Freight (CIF), which is part of the shipping industry’s jargon (‘Incoterms’). This mechanism allows Intellexa to claim that they have no visibility of where the systems are deployed and eventually located.”

On top of that, Intellexa possesses “first-hand knowledge” of whether their customers are performing surveillance operations outside their own borders owing to the fact that the operations are intrinsically connected to the license, which, by default, is restricted to a single phone country code prefix.

This geographic limitation, nonetheless, can be loosened for an additional fee.

Cisco Talos noted that while public exposure of private-sector offensive actors and their campaigns have been successful at attribution efforts, it has had little impact on their ability to conduct and grow their business across the world, even if it may affect their customers, such as governments.

“It may increase the costs by making them buy or create new exploit chains but these vendors appear to have seamlessly acquired new exploit chains, enabling them to remain in business by jumping from one set of exploits to another as a means of initial access,” the researchers said.

“What is needed is the public disclosure of technical analyses of the mobile spyware and tangible samples enabling public scrutiny of the malware. Such public disclosures will not only enable greater analyses and drive detection efforts but also impose development costs on vendors to constantly evolve their implants.”