Novel Attack Techniques from Threat Actor Targeting Middle East and African Government Orgs

Category: Threat Actor Activity | Industries: Defense, Government | Source: Cortex

A suspected nation-state level threat actor tracked as "CL-STA-0043" is observed to be conducting espionage campaigns against government organizations located in the Middle East and Africa. Palo Alto network's Cortex threat research team shared a report documenting the threat actor's activities and identified their objective as "to obtain highly confidential and sensitive information, specifically related to politicians, military activities, and ministries of foreign affairs." The threat actor demonstrates a wide range of capabilities, including the use of zero-day exploits to target Microsoft IIS and Exchange servers, exploitation of accessibility features, utilization of the penetration tool Yasso, and most notably, abuse of either the Exchange Management Shell or PowerShell scripts to exfiltrate Exchange emails and PST files. Typically, in CL-STA-0043's intrusions, the primary method of post-exploitation involves deploying different types of web shells to obtain remote access to the compromised network. Additionally, the threat actor employs various tools, such as the China Chopper webshell and tools from the Potato suite for privilege escalation.

In one documented instance, the threat actor attempted to drop the China Chopper web shell; however, they failed to do so as it was blocked by Cortex XDR. The threat actor then retreated for a few days and returned, where it was found they abused the IIS worker process, w3wp, to launch a CMD process, resulting in the deployment of an in-memory VBscript. After gaining access to the network, Cortex observed the threat actors scoping the network running and deploying reconnaissance tools to identify assets of interest. Once they had a lay of the network, privilege escalation activities commenced with Pototo Suite tools JuicyPotatoNG or SharpEfsPotato. The "Sticky Keys" privilege escalation technique was also demonstrated using sethc.exe. These actions led to the creation of administrative accounts enabling the threat actors to run with elevated privileges.

Credential access was conducted through Mimikatz, registry dumps, manipulating WDigest, and dumping NTDS. However, the threat actor also abused Windows Network Providers to store and dump credentials. Lateral movement activity was seen following credential access, with threat actors leveraging the Yasso penetration testing tool and using modules to conduct an NTLM spray attack. The final stage of the threat actor's activity involved data exfiltration targeting Exchange emails.