Iran-linked APT Targets T20 Summit, Munich Security Conference Attendees

Iran-linked APT Targets T20 Summit, Munich Security Conference Attendees

The Phosphorous APT has launched successful attacks against world leaders who are attending the Munich Security Conference and the Think 20 (T20) Summit in Saudi Arabia, Microsoft warns.

Microsoft said that an Iranian threat actor has successfully compromised attendees of two global conferences – including ambassadors and senior policy experts – in an effort to steal their email credentials.

The two conferences targeted include the Munich Security Conference, slated for Feb. 19 to 21, 2021 and the Think 20 (T20) Summit in Saudi Arabia, taking place Oct. 31 to Nov. 1 2020. Both conferences are majority virtual this year and are both longstanding and well respected venues to discuss global and regional security policies, among other things.

Microsoft linked the attack, which targeted more than 100 conference attendees, to Phosphorus, which it said is operating from Iran. The group – also known as APT 35, Charming Kitten and Ajax Security Team – has been known to use phishing as an attack vector.

“We believe Phosphorus is engaging in these attacks for intelligence collection purposes,” wrote to Tom Burt, corporate vice president, Customer Security and Trust at Microsoft, in post outlining the plots on Wednesday. “The attacks were successful in compromising several victims, including former ambassadors and other senior policy experts who help shape global agendas and foreign policies in their respective countries.”

Burt said the attackers have been sending possible attendees spoofed invitations by email. These emails use near-perfect English and were sent to former government officials, policy experts, academics and leaders from non-governmental organizations, he said. They purport to help assuage fears of travel during the Covid-19 pandemic by offering remote sessions.

The emails come from fake conference organizers using the email addresses t20saudiarabia[@]outlook.sa, t20saudiarabia[@]gmail.com and munichconference[@]outlook.com.

microsoft phosphorous cyberattack

The attack vector: Credit: Microsoft

If the target accepts the invitation, the attacker is then asked to send a picture of themselves and bio. The attacker’s request is embedded in an attached password-protected PDF and comes in the form of a short link (inside the PDF). Naturally, the link links to one of several known credential harvesting pages meant to trick targets into handing over their email account credentials via a fake account login page. Malicious domains include de-ma[.]online, g20saudi.000webhostapp[.]com and ksat20.000webhostapp[.]com.

The attackers uses those credentials to log into the victims’ mailbox, where they can then gather further sensitive information and launch more malicious attacks.

“The attacks were successful in compromising several victims, including former ambassadors and other senior policy experts who help shape global agendas and foreign policies in their respective countries,” Burt wrote.

vulnerabilities web security apt 35 charming kitten microsoft munich security conference phosphorous apt t20 the think 20 summit

Bootstrap 5 Complete Course with Examples

Bootstrap 5 Tutorial - Bootstrap 5 Crash Course for Beginners

Nest.JS Tutorial for Beginners

Hello Vue 3: A First Look at Vue 3 and the Composition API

Building a simple Applications with Vue 3

Deno Crash Course: Explore Deno and Create a full REST API with Deno

How to Build a Real-time Chat App with Deno and WebSockets

Convert HTML to Markdown Online

HTML entity encoder decoder Online

Microsoft Exchange, Outlook Under Siege By APTs

A new threat report shows that APTs are switching up their tactics when exploiting Microsoft services like Exchange and OWA, in order to avoid detection.

Best Custom Web & Mobile App Development Company

Top Web & Mobile Application Development Company in India & USA. We specialize in Golang, Ruby on Rails, Symfony, Laravel PHP, Python, Angular, Mobile Apps, Blockchain, & Chatbots

Grindr's Bug Bounty Pledge Doesn't Translate to Security

At [email protected], Luta Security CEO Katie Moussouris stressed that bug bounty programs aren't a 'silver bullet' for security teams.

October Patch Tuesday: Microsoft Patches Critical, Wormable RCE Bug

October 2020 Patch Tuesday: Microsoft fixes potentially wormable Windows TCP/IP RCE flaw. On this October 2020 Patch Tuesday: Microsoft has plugged 87 security holes, including critical ones in the Windows TCP/IP stack and Microsoft Outlook and Microsoft 365 Apps for Enterprise.

Microsoft’s Patch Tuesday Packed with Critical RCE Bugs

The most concerning of the disclosed bugs would allow an attacker to take over Microsoft Exchange just by sending an email.