Iran-linked cyber espionage group Charming Kitten, also known as APT42, Ballistic Bobcat, Mint Sandstorm, and NewsBeef, has deployed a new backdoor called “Sponsor” to infect 34 victims, according to cybersecurity firm ESET. Their history involves targeting activists, government entities, and journalists for over a decade, and recent activities include financially motivated ransomware operations and attacks on critical infrastructure in the US.
The newly uncovered Sponsor backdoor, written in C++, primarily targeted organizations in Israel, spanning sectors like automotive, engineering, finance, healthcare, manufacturing, media, technology, and telecommunications since 2021. Charming Kitten gained initial access by exploiting known vulnerabilities in publicly exposed Microsoft Exchange servers.
While some victims lacked significant intelligence value, implying a scan-and-exploit strategy rather than specific targeting, 16 out of the 34 victims were compromised by other threat actors. The backdoor functions as a persistent service, gathering and sending system information to a command-and-control (C&C) server, enabling various commands like executing processes, retrieving process IDs, handling files, and updating C&C server lists and intervals for check-ins. Charming Kitten used a mix of established and new infrastructure, underlining the importance of patching exposed devices and maintaining vigilance within organizations.
In a related development, Charming Kitten expanded its cyber operations to Brazil, Israel, and the United Arab Emirates, employing the previously undisclosed Sponsor backdoor. This Iran-linked APT group has been in the cyber espionage spotlight since 2014, engaging in extensive spying campaigns via social media. Their activities, under scrutiny by Microsoft since 2013, likely commenced around 2011, primarily focusing on journalists, Middle Eastern activists, and organizations in various countries. The Sponsor backdoor, identified in a cyber attack in Israel in May 2022, has been operational since at least September 2021 and targeted victims across education, government, healthcare, along with human rights activists and journalists in Brazil, Israel, and the UAE.
Charming Kitten’s approach involves scanning and exploiting vulnerabilities in Microsoft Exchange servers exposed to the internet, resulting in victims being more opportunistic than specifically chosen. The backdoor cleverly uses configuration files distributed through seemingly harmless batch files to avoid detection.
Once inside a targeted network, Charming Kitten employs diverse open-source tools like Mimikatz, WebBrowserPassView, sqlextractor, and ProcDump. Defenders are strongly advised to promptly patch internet-exposed devices and stay alert for potential new applications within their organizations, as Charming Kitten continuously adapts its toolset for cyber operations.
To avoid similar attacks, it is very important that we take the security of our electronic information systems seriously enough.
These are the measures we recommend in order to avoid similar incidents:
Regularly Update and Patch Systems and Software:
Ensure that all software, operating systems, and applications are up to date with the latest security patches and updates. Regularly check for security updates and install them promptly.
Implement Strong Access Controls:
Enforce strong authentication mechanisms, including multi-factor authentication (MFA), to secure access to critical systems and sensitive data. Limit access based on the principle of least privilege (PoLP).
Educate and Train Employees:
Conduct regular cybersecurity awareness training for all employees to educate them about phishing attacks, social engineering, and best practices for online safety. Employees should be vigilant and report any suspicious activities.
Sources:
https://www.securityweek.com/iranian-cyberspies-deployed-new-backdoor-to-34-organizations/
https://securityaffairs.com/150667/apt/charming-kitten-new-sponsor-backdoor.html
https://thehackernews.com/2023/09/charming-kitens-new-backdoor-sponsor.html
https://cyware.com/news/charming-kitten-introduces-sponsor-backdoor-0ba63a3b
Author: Akos Sipos, PTMSZK