According to Palo Alto Networks ‘ Cortex Threat Research team, government entities in the Middle East and Africa have recently faced persistent cyber-espionage attacks that utilize unique methods of credential theft and Exchange email exfiltration.
These attacks, known as CL-STA-0043 (Cluster-State Backed Motivation), have been specifically aimed at obtaining sensitive and confidential information about political figures, military operations, and foreign affairs ministries. The researchers have described the attacks as an actual advanced persistent threat.
The initial phase of the attacks involves exploiting vulnerabilities in on-premises Internet Information Services (IIS) and Microsoft Exchange servers to gain access to the target networks. In one instance, the attackers attempted to use the China Chopper web shell but later shifted to an in-memory Visual Basic Script implant from the Exchange Server.
Once inside the network, the threat actors conduct reconnaissance activities to identify critical servers holding valuable data, including domain controllers, web servers, Exchange servers, FTP servers, and SQL databases.
To escalate privileges, CL-STA-0043 utilizes native Windows tools and techniques, such as creating admin accounts and running programs with elevated privileges. Observations revealed they abuse accessibility features in Windows, like the “sticky keys” utility, to bypass login requirements and gain backdoor access to systems.
In addition to using known tools like Mimikatz for credential theft, the attackers employ various novel methods to steal passwords, move laterally within the network, and exfiltrate sensitive data.
These methods include executing a malicious DLL through network providers to harvest and export plaintext passwords, leveraging an open-source penetration testing toolset called Yasso for network spread, and utilizing Exchange Management Shell and PowerShell snap-ins to harvest targeted emails.
The level of sophistication, adaptability, and targeted victim selection displayed by this threat actor suggests the involvement of a highly capable Advanced Persistent Threat (APT) group, likely affiliated with a nation-state.
It is important to note that the use of Exchange PowerShell snap-ins for mailbox data export played out in the case of a Chinese state-sponsored group known as Silk Typhoon (formerly Hafnium), which came to light in March 2021 following the Microsoft Exchange Server exploitation incident.
The CL-STA-0043 attacks pose a significant threat, indicating the need for heightened cybersecurity measures and defense against advanced nation-state actors.
