The Phosphorous APT has launched successful attacks against world leaders who are attending the Munich Security Conference and the Think 20 (T20) Summit in Saudi Arabia, Microsoft warns.
Microsoft said that an Iranian threat actor has successfully compromised attendees of two global conferences – including ambassadors and senior policy experts – in an effort to steal their email credentials.
The two conferences targeted include the Munich Security Conference, slated for Feb. 19 to 21, 2021 and the Think 20 (T20) Summit in Saudi Arabia, taking place Oct. 31 to Nov. 1 2020. Both conferences are majority virtual this year and are both longstanding and well respected venues to discuss global and regional security policies, among other things.
Microsoft linked the attack, which targeted more than 100 conference attendees, to Phosphorus, which it said is operating from Iran. The group – also known as APT 35, Charming Kitten and Ajax Security Team – has been known to use phishing as an attack vector.
“We believe Phosphorus is engaging in these attacks for intelligence collection purposes,” wrote to Tom Burt, corporate vice president, Customer Security and Trust at Microsoft, in post outlining the plots on Wednesday. “The attacks were successful in compromising several victims, including former ambassadors and other senior policy experts who help shape global agendas and foreign policies in their respective countries.”
Burt said the attackers have been sending possible attendees spoofed invitations by email. These emails use near-perfect English and were sent to former government officials, policy experts, academics and leaders from non-governmental organizations, he said. They purport to help assuage fears of travel during the Covid-19 pandemic by offering remote sessions.
The emails come from fake conference organizers using the email addresses t20saudiarabia[@]outlook.sa, t20saudiarabia[@]gmail.com and munichconference[@]outlook.com.
The attack vector: Credit: Microsoft
If the target accepts the invitation, the attacker is then asked to send a picture of themselves and bio. The attacker’s request is embedded in an attached password-protected PDF and comes in the form of a short link (inside the PDF). Naturally, the link links to one of several known credential harvesting pages meant to trick targets into handing over their email account credentials via a fake account login page. Malicious domains include de-ma[.]online, g20saudi.000webhostapp[.]com and ksat20.000webhostapp[.]com.
The attackers uses those credentials to log into the victims’ mailbox, where they can then gather further sensitive information and launch more malicious attacks.
“The attacks were successful in compromising several victims, including former ambassadors and other senior policy experts who help shape global agendas and foreign policies in their respective countries,” Burt wrote.
A new threat report shows that APTs are switching up their tactics when exploiting Microsoft services like Exchange and OWA, in order to avoid detection.
Top Web & Mobile Application Development Company in India & USA. We specialize in Golang, Ruby on Rails, Symfony, Laravel PHP, Python, Angular, Mobile Apps, Blockchain, & Chatbots
At [email protected], Luta Security CEO Katie Moussouris stressed that bug bounty programs aren't a 'silver bullet' for security teams.
October 2020 Patch Tuesday: Microsoft fixes potentially wormable Windows TCP/IP RCE flaw. On this October 2020 Patch Tuesday: Microsoft has plugged 87 security holes, including critical ones in the Windows TCP/IP stack and Microsoft Outlook and Microsoft 365 Apps for Enterprise.
The most concerning of the disclosed bugs would allow an attacker to take over Microsoft Exchange just by sending an email.