Threats Feed

A phishing campaign is exploiting sensational fake news about an assassination attempt on US President-elect Donald Trump by an Iranian sniper. The campaign poses as The New York Times using the email address newyork-times@nycmail[.]com. Victims who click on the embedded link are redirected to an ESET-imitation phishing site, where they are prompted to enter corporate domain credentials. This campaign is an example of attackers using major global events, such as political elections, to amplify their efforts. The use of urgency and sensational headlines highlights the need for vigilance in verifying information.

Iranian cyber actors targeted critical infrastructure sectors in the US, Canada, and Australia, including healthcare, government, energy, and IT organisations. The attackers used password spraying and MFA push bombing to obtain valid accounts and access systems such as Microsoft 365, Azure, and Citrix. They used open source tools to gain access to credentials, including Kerberos SPN enumeration and Active Directory dumps. In some cases, the attackers attempted to exploit the Netlogon vulnerability for privilege escalation. In addition, the actors used discovery techniques using living-off-the-land tools to identify domain controllers, trusted domains and administrative accounts.

The Cybersecurity and Infrastructure Security Agency (CISA), FBI, and Cyber National Mission Force (CNMF) identified multiple APT actors exploiting vulnerabilities in an Aeronautical Sector organization as early as January 2023. The actors targeted a public-facing application (Zoho ManageEngine ServiceDesk Plus) and the organization’s firewall device, exploiting CVE-2022-47966 and CVE-2022-42475. They gained unauthorized access, established persistence, moved laterally, and engaged in defense evasion by deleting logs. Although the attackers achieved extensive network enumeration and credential access, the report didn't confirm any data exfiltration.

In April 2022, CISA detected Iranian government-sponsored APT activity compromising an FCEB organization's network via the Log4Shell vulnerability. Initial exploitation targeted an unpatched VMware Horizon server, later spreading to the domain controller. The threat actors utilized PowerShell commands, disabled Windows Defender, and established persistence through scheduled tasks. Tools like Mimikatz and Ngrok were deployed for credential harvesting and C2 communication. Despite attempts to dump the LSASS process, additional anti-virus measures thwarted this activity. Lateral movement was observed, as were activities aimed at credential and account manipulation.

SafeBreach Labs has discovered CodeRAT, a new remote access trojan (RAT) targeting Farsi-speaking software developers with capabilities ranging from espionage to data exfiltration. Delivered via a Word document that exploits Microsoft DDE, CodeRAT monitors activity in various applications, particularly those related to social networking and development tools. Uniquely, it uses public file upload APIs and Telegram groups for command and control, bypassing typical C2 infrastructure. The malware supports 50 commands, including clipboard capture, process control and file upload. The CodeRAT developer released the source code on GitHub after it was discovered by researchers.

Some Iranian government-sponsored APT groups have exploited vulnerabilities in Microsoft Exchange servers and Fortinet devices since March 2021. These actors broadly targeted critical infrastructure sectors in the US, including Transportation and Healthcare and Public Health, as well as Australian organizations. The APT group focused more on exploiting known vulnerabilities rather than specific sectors, using the gained access for ransomware deployment, data exfiltration, and extortion. Several tactics, techniques, and tools were utilized, including creating new user accounts and modifying Task Scheduler.