OP 20 June, 2023 - 02:20 PM
(This post was last modified: 20 June, 2023 - 02:22 PM by RealThreat. Edited 3 times in total.)
![[Image: hacker.jpg]](https://external-content.duckduckgo.com/iu/?u=https%3A%2F%2Fthehackernews.com%2Fnew-images%2Fimg%2Fb%2FR29vZ2xl%2FAVvXsEihFebLs8OSjKP9P__-vw3A_b0xIZHoWtyNSGplmSYD5GgG5cmp8x0cs_kb7GwQ4P9xLJ02BtceKtfYtUM1ZxMOWIZk6ParHKTtduvK_GvRmNgrn5DgK2RyLFbu28CWMdMBY0W12mVBU1veX_V5jeVvZCiRP56A_owD0OQIGjxH1JLMSg7jAphYvLNtBEc%2Fs728-e3650%2Fhacker.jpg)
Governmental entities in the Middle East and Africa have been at the receiving end of sustained cyber-espionage attacks that leverage
never-before-seen and rare credential theft and Exchange email exfiltration techniques.
"The main goal of the attacks was to obtain highly confidential and sensitive information, specifically related to politicians, military activities, and ministries
of foreign affairs," Lior Rochberger, senior threat researcher at Palo Alto Networks, said in a technical deep dive published last week.
The company's Cortex Threat Research team is tracking the activity under the temporary name CL-STA-0043 (where CL stands for cluster and STA
stands for state-backed motivation), describing it as a "true advanced persistent threat."
The infection chain is triggered by the exploitation of vulnerable on-premises Internet Information Services (IIS) and
Microsoft Exchange serves to infiltrate target networks.
![[Image: cmd.jpg]](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhmHRLVcV3Q3x5Q36Npff99fesJwBHN32d-eJFeQwax_FKROoWRxe3G0vYIF5Ked7BOWiED3U6h0T0gCYZWMhq0tKSa4JWPuZy8-6Ev4qi9-bv8zz0KH6PFXV4zLb5UlmpaRUbLmIODkMUFuyHbb_qzz7aT9Sx-Ut6o8l8mr9fTbIJD1gRV6gfiALvODFk/s728-e365/cmd.jpg)
Another privilege escalation method entails the abuse of accessibility features in Windows – i.e., the "sticky keys" utility (sethc.exe) –
conduct lateral movement, and exfiltrate sensitive data, such as -
- Using network providers to execute a malicious DLL to harvest and export plaintext passwords to a remote server
- Leveraging an open-source penetration testing toolset called Yasso to spread across the network, and
- Taking advantage of the Exchange Management Shell and PowerShell snap-ins to harvest emails of interest
- It's worth pointing out that the use of Exchange PowerShell snap-ins to export mailbox data has been previously reported in the case of a Chinese state-sponsored
group referred to as Silk Typhoon (formerly Hafnium), which first came to light in March 2021 in connection with the exploitation
of Microsoft Exchange Server.
"This activity group's level of sophistication, adaptiveness, and victimology suggest a highly capable APT threat actor,
and it is suspected to be a nation-state threat actor," Rochberger said.