Ballistic Bobcat Exploits Microsoft Exchange Vulnerabilities to Compromise 34 Organizations
- Actor Motivations: Espionage
- Attack Vectors: Vulnerability Exploitation,Backdoor
- Attack Complexity: High
- Threat Risk: High Impact/High Probability
The Ballistic Bobcat (aka Charming Kitten) threat group exploited known vulnerabilities in Microsoft Exchange servers, particularly CVE-2021-26855, to gain initial access to 34 organizations, primarily located in Israel. The group employed a backdoor known as Sponsor and relied on a modular approach that used both configuration files and batch files to evade detection. Besides, the group utilized a range of open-source tools for various activities, including tunneling and credential dumping. The victims are from diverse sectors but are mainly opportunistic rather than specifically targeted. Two victims were identified outside Israel, in Brazil and the UAE, linked to healthcare and an unidentified organization.
|Region||United Arab Emirates||Verified|
Tip: 19 related IOCs (4 IP, 0 domain, 0 URL, 0 email, 15 file hash) to this threat have been found.
Source: Deep Instinct - June 2022
Detection (one case): 198[.]144.189.74
Source: CISA - November 2021
Detection (one case): 162[.]55.137.20
Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.