eSentire's Threat Response Unit (TRU) compiles the following weekly intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
Recent Threat Intelligence Advisories
Noteworthy News
Uncharmed: Untangling Iran's APT42 Operations
Bottom Line: APT42, an Iranian state-sponsored threat actor, has illustrated a persistent and methodical focus on espionage, which represents a significant and ongoing threat to global organizations. Through sophisticated social-engineering attacks, the group establishes initial access into victim organizations and exfiltrates sensitive information.
On May 1st, Mandiant (now a part of Google Cloud) released a report on APT42 (aka Charming Kitten, Mint Sandstorm, TA453, Yellow Garuda, ITG18) using enhanced social engineering to gain access to victim networks, including cloud environments. APT42 is an Iranian state-sponsored cyber espionage actor, assessed to be operating on behalf of the Islamic Revolutionary Guard Corps Intelligence Organization (IRGC-IO). The group has been observed targeting Western and Middle Eastern NGOs, media organizations, academia, legal services, and activists.
APT42, employs sophisticated social engineering tactics through three distinct clusters to target a variety of victims, ranging from journalists and researchers to activists and defense-related individuals.
Cluster A focuses on impersonating news outlets and NGOs, active since 2021. APT42 uses typosquatted domains resembling those of reputable news organizations such as The Washington Post and The Economist to lure victims, primarily journalists and geopolitical researchers, with fake articles leading to counterfeit Google login pages.
Cluster B, operational since 2019, targets individuals perceived as a threat to the Iranian regime. This cluster masquerades as legitimate services like file hosting and YouTube, using domains characterized by hyphen-separated words and various top-level domains (.top, .online, .site, .live). The attackers send spear-phishing emails that mimic invitations to conferences or legitimate documents, deceiving victims into entering their credentials on fake login pages.
Cluster C, active from 2022 onwards, directs its efforts towards individuals associated with defense, foreign affairs, and academic issues in the U.S. and Israel. The methods here include posing as NGOs, utilizing "Mailer Daemon" notifications, and mimicking the Bitly URL shortening service to create authentic-looking phishing links. These links lead to crafted pages that imitate Microsoft 365 login screens, aiming to harvest credentials from unsuspecting victims.
As an extension of their credential harvesting operations, during 2022-2023, APT42 exfiltrated numerous documents of interest to Iran and sensitive information from the victims’ public cloud infrastructure. This starts with elaborate social engineering tactics that involve trust-building through ongoing correspondence with the targets, often under the guise of legitimate NGOs. After establishing a level of trust, APT42 employs credential harvesting techniques to obtain access to victim networks. This is often accompanied by bypassing Multi-Factor Authentication (MFA) using cloned websites to capture MFA tokens. When direct MFA bypass fails, APT42 resorts to sending MFA push notifications, which have proven to be more effective. Once access to the Microsoft 365 environment is established, APT42 exploits built-in features and open-source tools to avoid detection. They collect sensitive documents and information that are of strategic interest to Iran, such as data related to foreign affairs and specific geographic regions.
Additionally, APT42 utilizes custom malware to support their cyber espionage operations, namely two specific backdoors, TAMECAT and NICECURL. NICECURL is a VBScript-based backdoor capable of downloading additional modules for data mining and command execution. This backdoor communicates securely over HTTPS and is typically delivered through spear-phishing emails that contain decoy content, such as fake interview feedback forms or documents appearing to originate from credible organizations. TAMECAT is described as a “PowerShell toehold” capable of executing arbitrary PowerShell or C# scripts. TAMECAT is also delivered through spear-phishing campaigns but unlike NICECURL which is downloaded via malicious Windows Shortcut (LNK) files, TAMECAT is dropped by malicious macro-enabled documents. It communicates with its Command-and-Control (C2) server using HTTP, expecting Base64 encoded data, which it decodes to execute commands sent from its operators.
eSentire Threat Intelligence Analysis:
Unlike some Iran-nexus actors that have shifted towards more disruptive and destructive attacks amidst the Israel-Hamas conflict, APT42 has primarily maintained focus on intelligence gathering, often targeting entities that align with Iran's geopolitical interests.
The group's use of social engineering to build trust and harvest credentials highlights a deep psychological understanding and strategic patience. APT42 meticulously crafts personas and scenarios that appear credible over extended interactions, thus enhancing the effectiveness of their spear-phishing campaigns.
The multi-vector attack strategy employed by APT42, which includes both cloud-based credential theft and direct malware infections, presents challenges for cybersecurity defenses. This approach not only allows multiple entry points into target networks but also complicates the detection and mitigation processes. In order to prevent potential data breaches, intellectual property theft, or reputational damage, organizations must implement a multi-layered, defense-in-depth approach to security. This should begin with strengthening credential management practices and deploying advanced detection systems to identify potential breaches or unusual activity. Fostering a culture of cybersecurity awareness is crucial; educating employees on the dangers of social engineering and phishing can greatly diminish the risk of successful attacks. Additionally, deploying an Endpoint Detection and Response (EDR) solution, routinely performing security audits, and applying stringent access controls are essential measures that can significantly mitigate the risks associated with these sophisticated cyber threats.
The eSentire Threat Intelligence team is performing threat hunts for known APT42 related indicators.
London Drugs Stores Remain Closed After 'Cybersecurity Incident'
Bottom Line: London Drugs has been impacted by a “cybersecurity incident”, that resulted in the closure of stores across Canada. Public reporting and London Drugs’ response actions suggest that the pharmaceutical company was impacted by a ransomware attack.
On April 28th, the Canadian pharmaceutical company London Drugs disclosed that the company had been impacted by a cybersecurity incident. Technical details on the incident have not been shared publicly at the time of writing. The attack resulted in phone line outages and the closure of stores across British Columbia, Alberta, Saskatchewan, and Manitoba. Third-party cybersecurity experts were engaged to assist with containment, remediation, and to conduct a forensic investigation. London Drugs’ phone systems have been restored, but physical stores remain closed.
According to an update from May 2nd, “there is no evidence of any customer databases being compromised”. Additionally, the organization is actively rebuilding infrastructure. While there is no confirmation of customer data theft at this time, London Drugs’ customers are strongly recommended to treat all unexpected emails with a high degree of caution. In the event that email addresses or other personal details were stolen, they may be employed in future attacks against London Drugs’ customers.
eSentire Threat Intelligence Analysis:
Details on the cybersecurity incident are minimal at this time, but based on the limited available information, the eSentire Threat Intelligence team assesses that it is highly probable that London Drugs was impacted by a ransomware attack. The widespread impact across multiple locations and services, the weeklong outages, and the requirement to rebuild networks, all indicate that ransomware is the most likely cause for the disruption. Alternatively, it is possible that a wiper malware was deployed, or a disgruntled insider threat led to the outage, however these scenarios are significantly less common than ransomware.
It is critical that corporate networks are properly segmented to limit the spread of malware. Flat networks are simple to traverse after initial access and elevated privileges have been achieved. By ensuring corporate networks are segmented, lateral movement will be severely limited, minimizing the overall impact of an incident.
London Drugs continues to provide updates on the incident via their website, and additional information will likely be released over the following weeks. While there are no required actions for London Drugs customers at this time, they are recommended to regularly review for new information, such as the theft of data.
While the immediate consequences of this attack are clear, such as impacted sales and remediation costs, major attacks may also lead to reputational damage and a decrease in customer trust.
Defending OT Operations Against Ongoing Pro-Russia Hacktivist Activity
Bottom Line: Immediate action is needed to secure Operational Technology (OT) systems against simplistic but potentially impactful cyber threats from pro-Russia hacktivists, emphasizing the importance of robust cybersecurity measures to safeguard critical infrastructure.
On May 1st, the Cybersecurity and Infrastructure Security Agency (CISA) alongside the Federal Bureau of Investigation (FBI), National Security Agency (NSA), Environmental Protection Agency (EPA), Department of Energy (DOE), United States Department of Agriculture (USDA), Food and Drug Administration (FDA), Multi-State Information Sharing and Analysis Center (MS-ISAC), Canadian Centre for Cyber Security (CCCS), and United Kingdom’s National Cyber Security Centre (NCSC-UK) released a fact sheet aimed at mitigating the continued threats against Operational Technology (OT) posed by pro-Russia hacktivists. The guidance highlights ongoing, potentially disruptive cyber activities aimed at manipulating Industrial Control Systems (ICS) in North America and Europe. CISA and partners encourage the strengthening of security measures including enhancing password security, limiting internet exposure of OT systems, and implementing Multi-Factor Authentication (MFA).
Since 2022, pro-Russia hacktivists have targeted OT systems, leveraging social media to exaggerate their impact. Despite these claims, this activity has cause limited disruption to operations. However, CISA and partners have identified that these actors do pose a physical threat against insecure and misconfigured OT environments. The threat actors typically compromise Internet-exposed ICS, using methods like default password exploitation and remote access software vulnerabilities. Targeted sectors include Water and Wastewater Systems, Dams, Energy, and Food and Agriculture. Organizations should focus on hardening access controls to OT devices, such as Programmable Logic Controllers (PLCs) and Human-Machine Interfaces (HMIs). Specific measures recommended include changing default passwords, updating systems, restricting OT network exposure to the internet, and implementing MFA for all access to the OT network.
eSentire Threat Intelligence Analysis:
Operational Technology (OT) systems form the backbone of critical infrastructure across multiple sectors including energy, water treatment, and agriculture. Recent trends have shown a significant increase in cyberattacks targeting these systems, particularly by pro-Russia hacktivist groups.
The vulnerabilities in OT systems that are most often exploited include the use of default or weak passwords and outdated software. These vulnerabilities provide easy access points for attackers to disrupt critical operations. The potential impact of such attacks are profound and could result in operational downtime, financial losses, and risks to human safety. For instance, a successful attack on a water treatment facility could lead to unsafe water control measures, posing immediate health risks to the population served.
Education and training of personnel working in OT environments is another critical aspect of cybersecurity. Many cybersecurity breaches are the result of human error, which can be mitigated through regular training and awareness programs. Building a strong culture of cybersecurity within organizations goes a long way in defending against cyber threats.
The ongoing threat emphasizes the need for comprehensive cybersecurity practices across all critical infrastructure sectors. Organizations are urged to adopt CISA’s Cross-Sector Cybersecurity Performance Goals, which aims to bolster defenses, ensuring continuity of operations and the protection of essential services across all affected sectors.
APT44, previously known as Sandworm, is a prolific Russian state-backed threat group that has been attributed to a unit within the Main Intelligence Directorate (GRU) of the Russian military. One of the most critical aspects of APT44’s activities is its focus on OT systems. The group has been implicated in several high-profile attacks that specifically targeted these systems to either disrupt services or gather intelligence that could be used to support kinetic military operations. APT44 operates under the guise of various hacktivist personas, blending state-sponsored cyber activities with the outward appearance of grassroots hacktivist initiatives. This strategy serves multiple purposes as it obscures the direct involvement of Russian state actors, complicates attribution efforts, and fosters a narrative of decentralized cyber resistance aligned with Russian interests.
eSentire’s Threat Intelligence team discussed recent APT44 activity in April 19th’s edition of the Weekly Threat Briefing.
About the threat briefings:
The threat briefing is a weekly intelligence overview for non-technical users. The Threat Intelligence team at eSentire investigates, analyzes, and organizes the most important events of the past week along with important security tips and redistributes the findings for quick reading. The main goal of this briefing is to improve the overall awareness of readers regarding cyber security.
