An Iranian state-backed hacking group, Charming Kitten, has recently breached 32 Israeli organizations by exploiting unpatched Microsoft Exchange servers. This group, also known as TA453, Phosphorus, and Ballistic Bobcat, has a history of targeting the United States and its allies, as well as journalists and activists within Iran. However, their latest campaign, named “Sponsoring Access,” demonstrates that they are not limited to specific geographic regions or sectors.
Researchers from ESET have shed light on Charming Kitten’s new approach, which involves a “scan-and-exploit” method using a backdoor called “Sponsor.” This approach allowed them to target any organization in Israel that still had unpatched Microsoft Exchange servers. Additionally, they also targeted one organization in Brazil and another in the United Arab Emirates. This is not the first time Charming Kitten has utilized such tactics.
In November 2021, the Cybersecurity and Infrastructure Security Agency (CISA) issued a warning about Iranian state-sponsored hackers exploiting critical vulnerabilities in Fortinet FortiOS, FortiGate, and Microsoft Exchange. Charming Kitten was observed attacking Israeli organizations through a critical remote code execution vulnerability (CVE-2021-34473) in MS Exchange. They took advantage of this vulnerability to drop various evolving payloads until ultimately settling on the Sponsor backdoor.
Sponsor is a conventional backdoor that collects information from the compromised host and sends it to a command-and-control server. It also allows the attacker to execute commands and download files onto the targeted machine. Charming Kitten has consistently utilized exposed MS Exchange servers to drop Sponsor and other open-source tools like Mimikatz and Plink into outdated Israeli networks.
The Sponsoring Access campaign conducted by Charming Kitten primarily targets organizations that have neglected to patch their systems. It is an opportunistic campaign, as demonstrated by the fact that in 16 out of the 34 observed cases, other threat actors also had access to the compromised networks. This approach of scanning and exploiting vulnerabilities is common among advanced persistent threats (APTs) looking to increase their reach. However, ESET researcher Adam Burgher notes that this campaign by Charming Kitten is particularly widespread compared to others.
The victims of Charming Kitten’s attacks include a media outlet, a medical law firm, two IT companies, vendors of skincare products, food, diamonds, and more. Although the majority of targets were Israeli, there were also two organizations from other countries: one in the United Arab Emirates and a medical cooperative and health insurance operator in Brazil.
Fortunately, defending against the Sponsoring Access attacks is relatively straightforward. By patching the known vulnerabilities in Microsoft Exchange servers, organizations can protect themselves from these types of breaches. Burgher emphasizes the importance of proper asset management, regular patching, and maintaining good audit logs to enhance cybersecurity.
In conclusion, Charming Kitten’s recent campaign targeting Israeli organizations through unpatched Microsoft Exchange servers highlights the need for strong cybersecurity practices. By staying vigilant and promptly patching vulnerabilities, organizations can protect themselves from these state-backed hacking groups.