Iran’s Charming Kitten Strikes Israeli Exchange Servers

September 11, 2023

Over the past two years, Charming Kitten, an Iranian state-backed threat actor, has successfully infiltrated 32 Israeli organizations through unpatched Microsoft Exchange servers, introducing a new backdoor named 'Sponsor' along the way. Charming Kitten, also referred to as TA453, Phosphorus, and Ballistic Bobcat, is a long-standing Advanced Persistent Threat (APT) supported by the Islamic Republic of Iran. The group has historically shown interest in the United States and its Western allies, as well as journalists and activists within Iran. However, its operations are not always geographically or sector-specific.

In its recent campaign, dubbed 'Sponsoring Access' by researchers from ESET, Charming Kitten employed a 'scan-and-exploit' strategy, deploying its new backdoor 'Sponsor' against any organization in Israel, and one each in Brazil and the United Arab Emirates, that were still using unpatched Microsoft Exchange servers. This is not the first time the group has used this approach. In November 2021, the Cybersecurity and Infrastructure Security Agency (CISA) issued a warning about Iranian state-sponsored hackers exploiting known critical vulnerabilities in Fortinet FortiOS, FortiGate, and Microsoft Exchange.

In August of the same year, ESET noticed Charming Kitten attacking an Israeli organization using CVE-2021-34473, a critical remote code execution (RCE) vulnerability in MS Exchange rated 9.8 on the CVSS scale. Over the following months, Charming Kitten exploited the access provided by CVE-2021-34473 to deliver a series of evolving payloads until it finally settled on its latest backdoor: Sponsor. Sponsor is a fairly conventional backdoor that collects various information about its host and sends it back to a command-and-control (C2) server. It also allows its operator to run commands and download files to a targeted machine.

Since CISA's alert, Charming Kitten has consistently exploited exposed MS Exchange servers to install Sponsor and various open-source tools like Mimikatz and Plink into any outdated Israeli network. By only targeting organizations that neglect to patch their systems, the Sponsoring Access campaign is primarily opportunistic. In 16 out of the 34 cases observed by ESET, Charming Kitten was not the only threat actor with access to the compromised network. As ESET researcher Adam Burgher points out, 'Scan-and-exploit, as opposed to a more highly targeted approach, is something that APTs have been doing to try and increase their access to victims.'

The victims of Charming Kitten's attacks have ranged from a media outlet, a medical law firm, two IT companies, to vendors of skincare products, food, diamonds, and more. The vast majority of the targets were Israeli, with one organization in the UAE and a medical cooperative and health insurance operator in Brazil being the exceptions. Fortunately, as the Sponsoring Access attacks exploit a known, patchable vulnerability, they can be easily thwarted with a simple patch. As Burgher emphasizes, 'Make sure you know what you have that's connected to the internet, patch it, and make sure you've got good audit logs.'

Related News

• ProxyShellMiner Exploits Microsoft Exchange Vulnerabilities

Latest News

• CISA Incorporates Apple Zero-Days Exploited by Pegasus Spyware into its Catalog of Known Exploited Vulnerabilities
• Iranian Hackers Deploy New 'Sponsor' Backdoor Malware Targeting 34 Organizations Globally
• Ransomware Gangs Exploit Cisco VPN Zero-Day Vulnerability
• North Korean Cybercriminals Exploit Zero-Day Vulnerability Targeting Cybersecurity Experts
• Apple Patches Zero-Days Actively Exploited to Deliver Pegasus Spyware