Beware of the Rising New Threats!

On June 19, 2023, governments in the Middle East and Africa were hit by sustained cyber-espionage attacks that leverage never-before-seen techniques. How did this happen and what kind of techniques did the hackers utilise? Let’s delve into the story…

Seeing how this attack will likely cause major concerns to the digital landscape, Palo Alto Networks Research Team dive deeper into this incident. Their senior threat researcher, Lior Rochberger, stated that the main goal of the attacks was to obtain highly confidential and sensitive information, specifically related to politicians, military activities, and ministries of foreign affairs.?

They also managed to determine the source of the attack which is linked to a threat cluster it currently is tracking under the temporary name CL-STA-0043 (where CL stands for cluster and STA stands for state-backed motivation) described as “a true advanced persistent threat.” Furthermore, these new evasive techniques and tools are an in-memory VBS implant to run webshell clandestinely, as well as a novel Exchange email exfiltration and rare credential theft technique first seen in public.

As for the process of the attack, the infection chain starts with the threat actor exploiting vulnerable on-premises Internet Information Services (IIS) and Microsoft Exchange servers to breach target networks. The research team also mentioned that it detected failed attempts to execute the China Chopper web shell in one of the attacks, prompting the adversary to shift tactics and leverage an in-memory Visual Basic Script implant from the Exchange Server. After gaining access to the target network, the threat actor performed reconnaissance to identify critical assets and then used native Windows privilege escalation tools (the Potato suite) to create administrative accounts and to run various tools that require elevated privileges.

Upon gaining the information of the inner workings of this attack, Rochberger has declared this actor as highly capable and should be considered to be a nation-state threat. One thing that we can take from this attack is that we should always consider our assets as vulnerable and to never let up on the effort on securing them.