November 10, 2023 at 03:21AM
A group with links to Iran, known as Imperial Kitten, targeted transportation, logistics, and technology sectors in the Middle East, including Israel, in October 2023. They utilize social engineering and various techniques such as watering hole attacks, one-day exploits, phishing, and targeting IT service providers for initial access. Microsoft notes that Iranian groups have been engaging in reactive and opportunistic cyber activity since the start of the Israel-Hamas war. Additionally, a Hamas-affiliated threat actor named Arid Viper has been launching Android spyware attacks.
Meeting Notes – Nov 10, 2023 – Newsroom Cyber Attack / Cyber Threat
– A group with links to Iran targeted transportation, logistics, and technology sectors in the Middle East, including Israel, in October 2023.
– The attacks have been attributed to a threat actor known as Imperial Kitten, Crimson Sandstorm, TA456, Tortoiseshell, and Yellow Liderc.
– Reports from CrowdStrike, Mandiant, ClearSky, and PwC have highlighted the attacks and the use of strategic web compromises and job recruitment-themed content for social engineering.
– Compromised websites related to Israel are used to profile visitors and exfiltrate information to attacker-controlled domains.
– Imperial Kitten employs various methods for initial access, including exploitation of one-day exploits, stolen credentials, phishing, and targeting upstream IT service providers.
– Phishing campaigns use macro-laced Excel documents to activate infection chains and drop a Python-based reverse shell.
– Lateral movement is achieved using PAExec, NetScan, with the delivery of IMAPLoader and StandardKeyboard implants.
– A remote access trojan (RAT) is used with Discord for command-and-control, and both IMAPLoader and StandardKeyboard use email messages for tasking and sending results.
– Microsoft has observed that Iranian groups are engaging in reactive and opportunistic cyber activity, amplifying claims and activities for online propaganda.
– Arid Viper, a Hamas-affiliated threat actor, has targeted Arabic speakers with Android spyware known as SpyC23 through weaponized apps.
Please note that these meeting notes summarize the discussions and findings related to the cyber attack and cyber threat.