Morioh
Login
Hollie Ratke

Hollie Ratke

3 years ago

Microsoft said that an Iranian threat actor has successfully compromised attendees of two global conferences – including ambassadors and senior policy experts – in an effort to steal their email credentials.

The two conferences targeted include the Munich Security Conference, slated for Feb. 19 to 21, 2021 and the Think 20 (T20) Summit in Saudi Arabia, taking place Oct. 31 to Nov. 1 2020. Both conferences are majority virtual this year and are both longstanding and well respected venues to discuss global and regional security policies, among other things.

Microsoft linked the attack, which targeted more than 100 conference attendees, to Phosphorus, which it said is operating from Iran. The group – also known as APT 35, Charming Kitten and Ajax Security Team – has been known to use phishing as an attack vector.

“We believe Phosphorus is engaging in these attacks for intelligence collection purposes,” wrote to Tom Burt, corporate vice president, Customer Security and Trust at Microsoft, in post outlining the plots on Wednesday. “The attacks were successful in compromising several victims, including former ambassadors and other senior policy experts who help shape global agendas and foreign policies in their respective countries.”

Burt said the attackers have been sending possible attendees spoofed invitations by email. These emails use near-perfect English and were sent to former government officials, policy experts, academics and leaders from non-governmental organizations, he said. They purport to help assuage fears of travel during the Covid-19 pandemic by offering remote sessions.

The emails come from fake conference organizers using the email addresses t20saudiarabia[@]outlook.sa, t20saudiarabia[@]gmail.com and munichconference[@]outlook.com.

microsoft phosphorous cyberattack

The attack vector: Credit: Microsoft

If the target accepts the invitation, the attacker is then asked to send a picture of themselves and bio. The attacker’s request is embedded in an attached password-protected PDF and comes in the form of a short link (inside the PDF). Naturally, the link links to one of several known credential harvesting pages meant to trick targets into handing over their email account credentials via a fake account login page. Malicious domains include de-ma[.]online, g20saudi.000webhostapp[.]com and ksat20.000webhostapp[.]com.

The attackers uses those credentials to log into the victims’ mailbox, where they can then gather further sensitive information and launch more malicious attacks.

“The attacks were successful in compromising several victims, including former ambassadors and other senior policy experts who help shape global agendas and foreign policies in their respective countries,” Burt wrote.

#vulnerabilities #web security #apt 35 #charming kitten #microsoft #munich security conference #phosphorous apt #t20 #the think 20 summit

Iran-linked APT Targets T20 Summit, Munich Security Conference Attendees

threatpost.com

Iran-linked APT Targets T20 Summit, Munich Security Conference Attendees

The Phosphorous APT has launched successful attacks against world leaders who are attending the Munich Security Conference and the Think 20 (T20) Summit in Saudi Arabia, Microsoft warns.

1.25 GEEK