Third-party code, Email security, Threat Intelligence

‘Scan-and-exploit’ campaign snares unpatched Exchange servers

Iran’s President Ebrahim Raisi officially welcomed Iraqi President Abdul Latif Rashid at Saadabad Cultural Historical Complex on April 29 in Tehran, Iran. A newly discovered campaign by an Iranian APT has snared victims in Israel, Brazil and the United Arab Emirates. (Photo by Sakineh Salimi/Borna News/Aksonline) ATPImages/Getty Images)

Organizations running unpatched Microsoft Exchange servers were the focus of a campaign by Iranian APT Charming Kitten.

The threat group — also called Ballistic Bobcat, TA453 and Phosphorus — used a previously unseen backdoor malware in the campaign that is known to have hit at least 34 victims operating across a diverse range of business verticals.

In a Sept. 11 analysis of the campaign, ESET researcher Adam Burgher, who discovered the new backdoor used in the campaign, said all but two of the victim organizations were based in Israel, with the others were located in Brazil and the United Arab Emirates.

The threat group “obtained initial access by exploiting known vulnerabilities in internet-exposed Microsoft Exchange servers by first conducting meticulous scans of the system or network to identify potential weaknesses or vulnerabilities, and subsequently targeting and exploiting those identified weaknesses,” Burgher said.

The “scan-and-exploit” nature of the campaign meant the compromised organizations were “victims of opportunity” rather than pre-selected targets.

The victim set covers a diverse range of industries — including automotive, manufacturing, engineering, financial services, media, healthcare, technology and telecommunications — and some had an “apparent lack of obvious intelligence value” that would normally spark the interest of an APT group.

But what the victims did all appear to have in common was known vulnerabilities left unpatched on their Exchange servers.

ESET identified a critical Exchange remote code execution vulnerability, CVE-2021-26855, as the likely means of initial access in 23 of the 34 attacks. Microsoft released a patch for the vulnerability (which has a CVSS rating of 9.8) in March 2021.

Further reinforcing the risks of not patching known vulnerabilities, Burgher said ESET’s research revealed that for 16 of the 34 victims of the campaign, it appeared Charming Kitten was not the only threat actor to have gained access to their systems.

“The group continues to use a diverse open-source toolset supplemented with several custom applications, including its Sponsor backdoor. Defenders would be well advised to patch any internet-exposed devices and remain vigilant for new applications popping up within their organizations,” Burgher said.

One of the victims of the campaign, an Israeli company operating an insurance marketplace, was initially attacked by Charming Kitten in August 2021. The tools used in that attack were described three months later in an alert from the Cybersecurity and Infrastructure Security Agency (CISA) and other agencies.

The new backdoor Burgher discovered, which ESET calls Sponsor, was first deployed as part of Charming Kitten’s arsenal in September 2021. Written in C++, it enables standard backdoor operations including gathering information about the target system and uploading and downloading data and commands via a command-and-control server.

The backdoor uses configuration files stored on disk which are discreetly deployed by batch files, and deliberately designed to appear innocuous, in an attempt to evade detection by scanning engines.

“This modular approach is one that Ballistic Bobcat has used quite often and with modest success in the past two and a half years,” Burgher said.

“Ballistic Bobcat continues to operate on a scan-and-exploit model, looking for targets of opportunity with unpatched vulnerabilities in internet-exposed Microsoft Exchange servers.”

Simon Hendery

Simon Hendery is a freelance IT consultant specializing in security, compliance, and enterprise workflows. With a background in technology journalism and marketing, he is a passionate storyteller who loves researching and sharing the latest industry developments.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.