At a glance.
- Two Iranian cyberespionage campaigns reported this week.
- Redfly cyberespionage targets a national grid.
- Ransomware attacks against MGM Resorts and Caesars Entertainment.
- Access broker's phishing facilitates ransomware.
Two Iranian cyberespionage campaigns reported this week.
ESET reports that the APT they track as Ballistic Bobcat (in other threat actor bestiaries APT35/APT42, Charming Kitten, TA453, or PHOSPHORUS) is currently active against targets in Brazil, Israel, and the United Arab Emirates. The group is using a novel backdoor, tracked as "Sponsor," which uses configuration files stored on disk. "These files," ESET writes, "are discreetly deployed by batch files and deliberately designed to appear innocuous, thereby attempting to evade detection by scanning engines." Ballistic Bobcat carefully scans for known, unpatched vulnerabilities in target systems and exploits those for initial access. The APT's usual target list includes "education, government, and healthcare organizations, as well as human rights activists and journalists."
Microsoft warns that the Iranian state-sponsored actor Peach Sandstorm (which Microsoft formerly tracked as “HOLMIUM”) has been launching password-spraying campaigns against thousands of organizations since February 2023, with a particular focus on the satellite, defense, and pharmaceutical sectors. The goal of the campaign appears to be espionage. In a small number of cases, the threat actor succeeded in breaching organizations and exfiltrating data. Microsoft says, “The capabilities observed in this campaign are concerning as Microsoft saw Peach Sandstorm use legitimate credentials (gleaned from password spray attacks) to authenticate to targets’ systems, persist in targets’ environments, and deploy a range of tools to carry out additional activity. Peach Sandstorm also created new Azure subscriptions and leveraged the access these subscriptions provided to conduct additional attacks in other organizations’ environments.”
Redfly cyberespionage targets a national grid.
Symantec (a Broadcom company) warns that the Redfly threat actor “used the ShadowPad Trojan to compromise a national grid in an Asian country for as long as six months earlier this year.” The attack began in February, and the objective appears to be espionage. Symantec notes, “The frequency at which [critical national infrastructure] organizations are being attacked appears to have increased over the past year and is now a source of concern. Threat actors maintaining a long-term, persistent presence on a national grid presents a clear risk of attacks designed to disrupt power supplies and other vital services in nation-states during times of increased political tension. While Symantec has not seen any disruptive activity by Redfly, the fact that such attacks have occurred in other regions means they are not outside the bounds of possibility.”
Access broker's phishing facilitates ransomware.