Government agencies in the Middle East and Africa are suffering from persistent cyber espionage attacks leveraging the rarest-ever-seen credential theft and Exchange email leaking techniques.
“The main purpose of the attack was to obtain highly classified classified information, particularly related to politicians, military operations, and the Ministry of Foreign Affairs,” said Lior Rochberger, senior threat researcher at Palo Alto Networks. said in technical details published last year. week.
The company’s Cortex Threat Research team is tracking this activity under a pseudonym. CL-STA-0043 (CL stands for cluster and STA for state-backed motives), describing it as a “true advanced and persistent threat.”
The infection chain is triggered by exploiting a vulnerable on-premises Internet Information Services (IIS), and Microsoft Exchange is responsible for infiltrating the target network.
Palo Alto Networks discovered that an attempt to run the China Chopper web shell failed in one of the attacks, so the attackers changed their tactics and pulled Visual Basic Scrap embedded in-memory from the Exchange Server. He said he urged them to use ript.
After a successful intrusion, reconnaissance activities are conducted to plan the network and identify critical servers holding valuable data such as domain controllers, web servers, Exchange servers, FTP servers, SQL databases, and more.
CL-STA-0043 has also been seen leveraging native Windows tools for privilege escalation, which allows it to create administrator accounts and run other programs with elevated privileges. .
Another privilege escalation method involves exploiting Windows accessibility features, namely the “sticky key” utility (sethc.exe), to bypass login requirements and backdoor the system.
“In attacks, attackers typically replace sethc.exe binaries in the registry, or pointers/references to these binaries, with cmd.exe,” explained Rochberger. “Once executed, it provides the attacker with an elevated command prompt shell where he can execute arbitrary commands and other tools.”
A similar approach to establishing persistent backdoor access to the victim’s environment using the Utility Manager (utilman.exe) was documented by CrowdStrike earlier this April.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join us for an insightful webinar!
join the session
In addition to using Mimikatz for credential theft, threat actors are leveraging other new methods to steal passwords, perform lateral movement, and exfiltrate sensitive data, including: Stand out.
It’s worth pointing out that the use of the Exchange PowerShell snap-in to export mailbox data was previously reported in a China State Assistance Group case called Silk Typhoon (formerly Hafnium). This group was first revealed in March 2021 in connection with: Exploitation of Microsoft Exchange Server.
“The sophistication, adaptability, and victimology of this working group suggest that they are highly capable APT actors and are suspected to be nation-state actors,” said Rochberger. rice field.
