Phone : +91 95 8290 7788 | Email : sales@itmonteur.net

Register & Request Quote | Submit Support Ticket

Home » Cyber Security News » Vulnerabilities & Exploits » APT42 Hackers Pose as Journalists to Harvest Credentials and Access Cloud Data

APT42 Hackers Pose as Journalists to Harvest Credentials and Access Cloud Data

APT42 Hackers Pose as Journalists to Harvest Credentials and Access Cloud Data

https://firewall.firm.in/wp-content/uploads/2024/05/ad.png

Cyber Espionage Campaigns

The Iranian state-backed hacking outfit called APT42 is making use of enhanced social engineering schemes to infiltrate target networks and cloud environments.

Targets of the attack include Western and Middle Eastern NGOs, media organizations, academia, legal services and activists, Google Cloud subsidiary Mandiant said in a report published last week.

“APT42 was observed posing as journalists and event organizers to build trust with their victims through ongoing correspondence, and to deliver invitations to conferences or legitimate documents,” the company said.

“These social engineering schemes enabled APT42 to harvest credentials and use them to gain initial access to cloud environments. Subsequently, the threat actor covertly exfiltrated data of strategic interest to Iran, while relying on built-in features and open-source tools to avoid detection.”

APT42 (aka Damselfly and UNC788), first documented by the company in September 2022, is an Iranian state-sponsored cyber espionage group tasked with conducting information collection and surveillance operations against individuals and organizations of strategic interest to the Iranian government.

It’s assessed to be a subset of another infamous threat group tracked as APT35, which is also known by various names CALANQUE, CharmingCypress, Charming Kitten, ITG18, Mint Sandstorm (formerly Phosphorus), Newscaster, TA453, and Yellow Garuda.

Cybersecurity

Both the groups are affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC), but operate with a different set of goals.

While Charming Kitten focuses more on long-term, malware-intensive operations targeting organizations and companies in the U.S. and Middle East to steal data. APT42, in contrast, targets specific individuals and organizations that the regime has its eye on for the purpose of domestic politics, foreign policy, and regime stability.

Earlier this January, Microsoft attributed the Charming Kitten actor to phishing campaigns targeting high-profile individuals working on Middle Eastern affairs at universities and research organizations in Belgium, France, Gaza, Israel, the U.K., and the U.S. since November 2023.

Cyber Espionage Campaigns

Attacks mounted by the group are known to involve extensive credential harvesting operations to gather Microsoft, Yahoo, and Google Credentials via spear-phishing emails containing malicious links to lure documents that redirect the recipients to a fake login page.

In these campaigns, the adversary has been observed sending emails from domains typosquatting the original entities and masquerading as news outlets; legitimate services like Dropbox, Google Meet, LinkedIn, and YouTube; and mailer daemons and URL shortening tools.

The credential-grabbing attacks are complemented by data exfiltration activities targeting the victims’ public cloud infrastructure to get hold of documents that are of interest to Iran, but only after gaining their trust – something Charming Kitten is well-versed at.

Cyber Espionage Campaigns
Known malware families associated with APT42

“These operations began with enhanced social engineering schemes to gain the initial access to victim networks, often involving ongoing trust-building correspondence with the victim,” Mandiant said.

“Only then the desired credentials are acquired and multi-factor authentication (MFA) is bypassed, by serving a cloned website to capture the MFA token (which failed) and later by sending MFA push notifications to the victim (which succeeded).”

In an effort to cover up its tracks and blend in, the adversary has been found relying on publicly available tools, exfiltrating files to a OneDrive account masquerading as the victim’s organization, and employing VPN and anonymized infrastructure to interact with the compromised environment.

Cybersecurity

Also used by APT42 are two custom backdoors that act as a jumping point to deploy additional malware or to manually execute commands on the device –

  • NICECURL (aka BASICSTAR) – A backdoor written in VBScript that can download additional modules to be executed, including data mining and arbitrary command execution
  • TAMECAT – A PowerShell toehold that can execute arbitrary PowerShell or C# content

It’s worth noting that NICECURL was previously dissected by cybersecurity company Volexity in February 2024 in connection with a series of cyber attacks aimed at Middle East policy experts.

“APT42 has remained relatively focused on intelligence collection and targeting similar victimology, despite the Israel-Hamas war that has led other Iran-nexus actors to adapt by conducting disruptive, destructive, and hack-and-leak activities,” Mandiant concluded.

“The methods deployed by APT42 leave a minimal footprint and might make the detection and mitigation of their activities more challenging for network defenders.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.


Information Security - InfoSec - Cyber Security - Firewall Providers Company in India

 

 

 

 

 

 

 

 

 

 

 

 

What is Firewall? A Firewall is a network security device that monitors and filters incoming and outgoing network traffic based on an organization's previously established security policies. At its most basic, a firewall is essentially the barrier that sits between a private internal network and the public Internet.

 

Secure your network at the gateway against threats such as intrusions, Viruses, Spyware, Worms, Trojans, Adware, Keyloggers, Malicious Mobile Code (MMC), and other dangerous applications for total protection in a convenient, affordable subscription-based service. Modern threats like web-based malware attacks, targeted attacks, application-layer attacks, and more have had a significantly negative effect on the threat landscape. In fact, more than 80% of all new malware and intrusion attempts are exploiting weaknesses in applications, as opposed to weaknesses in networking components and services. Stateful firewalls with simple packet filtering capabilities were efficient blocking unwanted applications as most applications met the port-protocol expectations. Administrators could promptly prevent an unsafe application from being accessed by users by blocking the associated ports and protocols.

 

Firewall Firm is an IT Monteur Firewall Company provides Managed Firewall Support, Firewall providers , Firewall Security Service Provider, Network Security Services, Firewall Solutions India , New Delhi - India's capital territory , Mumbai - Bombay , Kolkata - Calcutta , Chennai - Madras , Bangaluru - Bangalore , Bhubaneswar, Ahmedabad, Hyderabad, Pune, Surat, Jaipur, Firewall Service Providers in India

Sales Number : +91 95 8290 7788 | Support Number : +91 94 8585 7788
Sales Email : sales@itmonteur.net | Support Email : support@itmonteur.net

Register & Request Quote | Submit Support Ticket