Threats Feed|Unknown|Last Updated 18/09/2023|AuthorCertfa Radar|Publish Date07/09/2023

Iranian-backed APTs Target Aeronautical Sector: A Multi-Vector Attack

  • Actor Motivations: Espionage,Exfiltration
  • Attack Vectors: Compromised Credentials,Vulnerability Exploitation,Backdoor,Malware
  • Attack Complexity: High
  • Threat Risk: High Impact/High Probability

Threat Overview

The Cybersecurity and Infrastructure Security Agency (CISA), FBI, and Cyber National Mission Force (CNMF) identified multiple APT actors exploiting vulnerabilities in an Aeronautical Sector organization as early as January 2023. The actors targeted a public-facing application (Zoho ManageEngine ServiceDesk Plus) and the organization’s firewall device, exploiting CVE-2022-47966 and CVE-2022-42475. They gained unauthorized access, established persistence, moved laterally, and engaged in defense evasion by deleting logs. Although the attackers achieved extensive network enumeration and credential access, the report didn't confirm any data exfiltration.

Detected Targets

TypeDescriptionConfidence
SectorAerospace
Verified
RegionUnited States
Verified

Extracted IOCs

  • cloudfronts[.]net
  • main.cloudfronts[.]net
  • xpack.disqus[.]com
  • xpack.github[.]io
  • 1a0e111e60e543810423ef073b545c77
  • 76adb0e36aac40cae0ebeb9f4bd38b52
  • a33354d598b58f2e55eb3619c3465f24
  • b8967a33e6c1aee7682810b6b994b991
  • 334c2d0af191ed96b15095a4a098c400f2c0ce6b9c66d1800f6b74554d59ff4b
  • 47dacb8f0b157355a4fd59ccbac1c59b8268fe84f3b8a462378b064333920622
  • 6dcc7b5e913154abac69687fcfb6a58ac66ec9b8cc7de7afd8832a9066b7bdde
  • 79a9136eedbf8288ad7357ddaea3a3cd1a57b7c6f82adffd5a9540e1623bfb63
  • 102[.]129.145.232
  • 103[.]105.49.108
  • 104[.]238.234.145
  • 108[.]62.118.160
  • 144[.]202.2.71
  • 154[.]6.91.26
  • 154[.]6.93.12
  • 154[.]6.93.22
  • 154[.]6.93.24
  • 154[.]6.93.32
  • 154[.]6.93.5
  • 179[.]60.147.4
  • 184[.]170.241.27
  • 191[.]96.106.40
  • 192[.]142.226.153
  • 193[.]142.146.226
  • 207[.]246.105.240
  • 45[.]77.121.232
  • 45[.]90.123.194
  • 47[.]90.240.218
  • 68[.]177.56.38
  • 80[.]85.241.15
  • 92[.]118.39.82
download

Tip: 35 related IOCs (23 IP, 4 domain, 0 URL, 0 email, 8 file hash) to this threat have been found.

Overlaps

Imperial KittenImperial Kitten's Middle East Cyber Campaign: Transport and Tech Sectors Targeted

Source: CrowdStrike - November 2023

Detection (one case): 103[.]105.49.108

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.