Iran’s APT34 Ramps Up Espionage Using MS Exchange Servers

October 17, 2024

APT34, also known as Earth Simnavaz, OilRig, MuddyWater, Crambus, Europium, Hazel Sandstorm, is a threat group associated with Iran's Ministry of Intelligence and Security (MOIS). The group is known for its espionage activities targeting high-value entities in major sectors across the Middle East, including oil and gas, finance, chemicals, telecommunications, critical infrastructure, and governments. The group's attacks are sophisticated, employing custom malware and maintaining stealth for extended periods.

Recently, cybersecurity firm Trend Micro has noted a significant increase in APT34's espionage activities, with the UAE government agencies being the primary targets. The group has introduced a new backdoor, 'StealHook,' which exploits Microsoft Exchange servers to steal credentials that are useful for escalating privileges and conducting subsequent supply chain attacks.

The recent APT34 attacks typically start with Web shells deployed to vulnerable Web servers, which allow the attackers to execute PowerShell code and transfer files to and from the compromised server. APT34 uses ngrok, a legitimate reverse proxy software, as a command-and-control (C2) mechanism, enabling them to bypass firewalls and other network security measures, thereby gaining access to a network's Domain Controller. Sergey Shykevich, threat intelligence group manager at Check Point Research, said, "One of the most impressive feats we've observed from APT34 is their skill in crafting and fine-tuning stealthy exfiltration channels that allow them to steal data from high profile sensitive networks."

APT34 has been exploiting a known vulnerability, CVE-2024-30088, to gain system-level privileges on infected machines. This vulnerability, discovered by Trend Micro's Zero Day Initiative and patched in June, affects multiple versions of Windows 10 and 11, and Windows Server 2016, 2019, and 2022. It received a 'high' severity score of 7 out of 10 in the Common Vulnerability Scoring System (CVSS). Despite the high score, exploiting this vulnerability requires local access to a system and is not straightforward.

APT34 has also been abusing Windows password filters. The group plants a malicious DLL in the Windows system directory and registers it as a legitimate password filter. This allows the group to intercept passwords in plaintext when a user changes their password.

To finalize its attack, APT34 uses its new backdoor, StealHook, to retrieve domain credentials, granting it access to an organization's Microsoft Exchange servers. The backdoor then uses the compromised servers and stolen email accounts to exfiltrate stolen credentials and other sensitive government data via email attachments. Mohamed Fahmy, a cyber threat intelligence researcher at Trend Micro, stated, "The technique of abusing Exchange for data exfiltration and C&C is very effective and hard to detect."

APT34 has also been known to use its access to one organization to launch subsequent attacks on others associated with it. Fahmy noted that the threat actor has "fully compromised a specific organization, and then used its servers to initiate a new attack against another organization (having a trust relationship with the infected one)." This strategy is particularly effective against government agencies, which often have close relationships, enabling the threat actor to exploit this trust.

Related News

• Iran's APT34 Intensifies Cyberattacks Exploiting Windows Flaw

Latest News

• Rise in Zero-Day Exploits: A Growing Threat in 2023
• Critical Vulnerability in Kubernetes Image Builder Allows Root SSH Access to VMs
• North Korean Group ScarCruft Exploits Windows Zero-Day to Disseminate RokRAT Malware
• Sidewinder APT Group Expands Geographic Reach in Latest Cyberattack Spree
• Critical Vulnerability in GitHub Enterprise Server Addressed