Two Iranian cyberespionage campaigns have been reported this week, highlighting the ongoing threat posed by Iranian state-sponsored hackers. The first campaign, attributed to an APT group known as Ballistic Bobcat (also referenced as APT35/APT42, Charming Kitten, TA453, or PHOSPHORUS), is currently targeting organizations in Brazil, Israel, and the United Arab Emirates. The group is using a new backdoor called “Sponsor” to gain access to target systems. The backdoor is designed to appear innocuous and evade detection by scanning engines.
The second campaign, carried out by the Iranian state-sponsored group Peach Sandstorm (formerly known as HOLMIUM), has been launching password-spraying attacks against thousands of organizations since February 2023. The group has a particular focus on the satellite, defense, and pharmaceutical sectors. Microsoft warns that Peach Sandstorm is using legitimate credentials obtained through password spray attacks to authenticate to targets’ systems and deploy various tools for espionage purposes. The group has also created new Azure subscriptions to carry out further attacks on other organizations’ environments.
In addition to these cyberespionage campaigns, a recent report from Symantec (a Broadcom company) reveals that another Iranian threat actor, known as Redfly, has used the ShadowPad Trojan to compromise a national grid in an Asian country for up to six months. While Symantec has not observed any disruptive activity from Redfly, the fact that such attacks have occurred in other regions raises concerns about potential future attacks on critical national infrastructure. Such attacks could disrupt power supplies and other vital services during times of increased political tension.
Meanwhile, Microsoft has uncovered a criminal access broker known as Storm-0324, which uses phishing lures distributed through Microsoft Teams messages. Storm-0324 primarily focuses on delivering JSSLoader malware before granting access to the Sangria Tempest ransomware actor, also known as FIN7. The threat actor’s phishing emails typically reference invoices and payments, imitating services like DocuSign and Quickbooks. Once users are redirected to a SharePoint-hosted compressed file, malicious DLL payloads are downloaded onto their systems.
Two major ransomware attacks have also been reported this week, targeting MGM Resorts and Caesars Entertainment. Cybercriminals have reportedly stolen six terabytes of data from both organizations. The anglophone affiliate of ALPHV, known as Scattered Spider, has claimed responsibility for the attack on MGM Resorts. The group initially planned to manipulate slot machines and drain them using money mules but turned to social engineering tactics after encountering difficulties. The attackers were able to gain access to the company’s systems through traditional social engineering methods, using remote login software and impersonating an employee’s digital footprint.
The attack on MGM Resorts involved not only data theft but also the encryption of over 100 ESXi hypervisors, according to a statement from ALPHV. The group claims to have successfully launched ransomware attacks against the hypervisors after the company failed to respond to their attempts at communication. Researchers have suggested a possible overlap between Scattered Spider and another group known as Lapsu$ Group, based on similar tactics and demographic characteristics.
MGM Resorts has issued a statement acknowledging the cybersecurity issue and stating that an investigation is ongoing. The incident has been deemed credit negative for the company by Moody’s Investor Service, primarily due to the potential revenue losses resulting from system downtime and reputational risk. Caesars Entertainment has also reported a cyberattack, with its loyalty program database compromised. While member credentials and banking information were not exposed, driver’s license numbers and social security numbers for a significant number of customers were accessed. Moody’s states that the cyberattack on Caesars is also credit negative but does not currently impact the company’s ratings or outlook.
These recent cyberespionage campaigns and ransomware attacks highlight the ongoing threat posed by Iranian state-sponsored hackers and cybercriminals. Organizations must remain vigilant and implement robust cybersecurity measures to protect against such threats.