Government entities in the Middle East and Africa have received ongoing cyber espionage attacks that leverage the unprecedented and rare credential theft and Exchange email exfiltration techniques.
“The main aim of the attack was to obtain highly classified and sensitive information, particularly regarding politicians, military activities and foreign ministries,” Lior Rochberger, senior threat researcher at Palo Alto Networks, said in a technical deep dive published last week.
The company’s Cortex Threat Research Team is tracking activities with temporary names CL-STA-0043 (where CL stands for cluster and STA stands for state-backed motivation), describes it as a “truly sophisticated persistent threat”.
The chain of infection was triggered by an exploit of a vulnerable local Internet Information Service (IIS) and Microsoft Exchange functions to infiltrate the target network.
Palo Alto Networks said it detected failed attempts to execute China Chopper’s web shell in one of the attacks, prompting the adversary to change tactics and leverage the in-memory Visual Basic Script implant from Exchange Server.
The successful breach was followed by reconnaissance activities to map the network and select critical servers holding valuable data, including domain controllers, web servers, Exchange servers, FTP servers, and SQL databases.
CL-STA-0043 has also been observed leveraging native Windows tools for privilege escalation, making it possible to create admin accounts and run other programs with higher privileges.
Other methods of privilege escalation require abusing accessibility features in Windows – namely, “sticky key” utility (sethc.exe) – which allows to bypass login requirements and backdoor the system.
“In an attack, the attacker usually replaces the sethc.exe binary, or pointers/references to it in the registry, with cmd.exe,” explains Rochberger. “When executed, it provides an elevated command prompt shell to an attacker to execute arbitrary commands and other tools.”
A similar approach using the Utility Manager (utilman.exe) to establish persistent backdoor access to the victim’s environment was documented by CrowdStrike earlier this April.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover untapped vulnerabilities in your API ecosystem and take proactive steps towards tight security. Join our insightful webinar!
Apart from using Mimikatz for credential theft, the modus operandi of threat actors stands out for using other new methods to steal passwords, perform lateral moves, and extract sensitive data, such as –
It should be noted that the use of the Exchange PowerShell snap-in to export mailbox data has been reported previously in the case of a Chinese state-sponsored group referred to as Silk Typhoon (formerly Hafnium), which was first revealed in March 2021 in connection with a Microsoft Exchange Server exploit.
“The level of sophistication, adaptability, and victimology of this activity group suggests a highly capable APT threat actor, and is presumably a nation-state threat actor,” Rochberger said.