Source: www.databreachtoday.com – Author: 1
Cyberwarfare / Nation-State Attacks
,
Fraud Management & Cybercrime
,
Social Engineering
Mandiant Says APT42 Members Have Been Posing as Journalists to Steal Troves of Data
Chris Riotta (@chrisriotta) •
May 3, 2024
Members of an Iranian state hacking group have been observed posing as journalists and event organizers from The Washington Post, The Economist and other major news outlets as part of an effort to harvest credentials and hack into global cloud networks.
Mandiant on Wednesday published a report on APT42, an Iranian threat actor that uses “enhanced social engineering schemes to gain access to victim networks, including cloud environments.”
The hacking group recently exfiltrated data “of strategic interest to Iran” while using open-source tools and built-in network features to avoid detection, according to the report. Mandiant said the hackers have also started engaging in malware-based operations through two custom backdoors dubbed NiceCurl and TameCat, which allow the group to deploy additional malware across victim networks.
The hackers masqueraded as journalists from credible news outlets in spear-phishing campaigns that involved sending malicious links to fake Google login pages and then collecting troves of credentials from targets in the policy and government sectors, as well as journalists and media organizations, the report said.
APT42 also targeted researchers, NGO leaders and human rights activists perceived as threats to the Iranian government with “invitations to conferences or legitimate documents hosted on cloud infrastructure.”
Mandiant suggested the extent of APT42’s impact across sectors could be much wider than what is currently known “since the initial enabler of these operations lies with credential harvesting, which APT42 conducts worldwide.” The Google-owned threat intelligence firm said APT42’s techniques have allowed the group to covertly access and compromise Microsoft 365 environments, at times impersonating high-ranking personnel working at well-known organizations such as the Aspen Institute.
The hackers occasionally searched for specific files and data relating to Iranian foreign affairs issues as well as Middle East issues and Russia’s war in Ukraine. The group used simple techniques to evade detection, such as clearing Google Chrome browser histories and using anonymized infrastructure such as ExpressVPN nodes and Cloudflare-hosted domains to interact with the victim’s environment.
In at least one instance, Mandiant said, the group established a “persistent” login mechanism by leveraging Microsoft’s app password feature, likely avoiding having to re-verify their identity with multifactor authentication.
Mandiant said APT42 is “a part of the Iranian intelligence apparatus that is responsible for monitoring and preventing foreign threats to the Islamic Republic and domestic unrest.”
In April, the U.S. federal government unsealed a multi-count criminal indictment against four alleged Iranian state hackers, announced sanctions against the group and offered a reward of up to $10 million for their capture (see: US Pressures Iran Over Phishing Campaign Against Feds).
Original Post url: https://www.databreachtoday.com/new-report-exposes-iranian-hacking-groups-media-masquerade-a-25011
Category & Tags: –
