Iran's Charming Kitten Pounces on Israeli Exchange Servers

In the last two years, an Iranian state-backed threat actor has breached 32 Israeli organizations running unpatched Microsoft Exchange servers, deploying a new backdoor along the way.

Charming Kitten — also known as TA453, Phosphorus, and Ballistic Bobcat — is a decade-plus-old APT sponsored by the Islamic Republic of Iran. Historically, the group has taken a particular interest in the United States and its benefactor's bête noire to the West, as well as individual journalists and activists within its own borders.

However, it doesn't always limit itself to certain geographic regions or sectors. In its latest campaign, which researchers from ESET are calling "Sponsoring Access," Charming Kitten took a so-called "scan-and-exploit" approach, deploying its new backdoor "Sponsor" against seemingly any organization in Israel (plus one in Brazil and another in the United Arab Emirates) still running unpatched Microsoft Exchange servers. And it's not the first time it's taken such an approach.

Iran vs. Israel, via Microsoft Exchange

In November 2021, CISA warned of Iranian state-sponsored hackers exploiting known critical vulnerabilities in Fortinet FortiOS and FortiGate, and Microsoft Exchange.

In one case that August, for instance, ESET observed Charming Kitten attack an Israeli organization via CVE-2021-34473 a 9.8 CVSS-rated critical remote code execution (RCE) vulnerability in MS Exchange. In the months that followed, Charming Kitten used the access afforded by CVE-2021-34473 to drop a series of evolving payloads until, in December, it settled on its latest backdoor: Sponsor.

Sponsor is a largely conventional backdoor that gathers various information about its host and sends it back to a command-and-control (C2) server. It also enables its proprietor to run commands and download files to a targeted machine.

In the last couple of years since CISA's notice, Charming Kitten has returned to this same well over and over, taking advantage of exposed MS Exchange servers to drop Sponsor — as well as any number of open source tools, like Mimikatz and Plink, a command line tool — into any outdated Israeli network.

A Widespread APT Cyber Campaign

By targeting only delinquent patchers, Sponsoring Access is above all an opportunistic campaign. This is perhaps best highlighted by one remarkable fact: In 16 of the 34 cases observed by ESET, Charming Kitten was not the only threat actor with access to the compromised network.

Scan-and-exploit, as opposed to a more highly targeted approach, "is something that APTs have been doing to try and increase their access to victims," says ESET researcher Adam Burgher, adding that "perhaps others are not as widespread as this campaign."

Charming Kitten's victims have included a media outlet, a medical law firm, two IT companies, vendors for skin-care products, food, diamonds, and more. The overwhelming majority of targets were Israeli — though, strangely, two were not: one unidentified organization in the UAE, and a medical cooperative and health insurance operator in Brazil.

Luckily, because Sponsoring Access attacks take advantage of a known, fixable vulnerability, they're also easy to fend off with a simple patch.

"It's things that I would tell any corporate entity or any entity that has assets connected to the internet," Burgher emphasizes. "Make sure you know what you have that's connected to the internet, patch it, and make sure you've got good audit logs."