An Iranian cyberespionage group known for targeting government, defense technology, military, and diplomacy sectors is now impersonating journalists to approach targets via LinkedIn and WhatsApp and infect their devices with malware.
Detailing the new tactics of the “Charming Kitten” APT group, Israeli firm Clearsky said, “starting July 2020, we have identified a new TTP of the group, impersonating ‘Deutsche Welle’ and the ‘Jewish Journal’ using emails alongside WhatsApp messages as their main platform to approach the target and convince them to open a malicious link.”
This development is the first time the threat actor is said to have carried out a watering hole attack through WhatsApp and LinkedIn, which also includes making phone calls to victims, Clearsky noted in a Thursday analysis.
After the company alerted Deutsche Welle about the impersonation and the watering hole in their website, the German broadcaster confirmed, “the reporter which Charming Kitten impersonated did not send any emails to the victim nor any other academic researcher in Israel in the past few weeks.”
The watering hole — in this case, a malicious link embedded in the compromised Deutsche Welle domain — delivered the info-stealer malware via WhatsApp, but not before the victims were first approached via tried-and-tested social engineering methods with an intention to lure the academics to speak at an online webinar.
Below is the Webinar Invitation sent to Speakers by the Iranian hackers
What is the Watering Hole Attack:
This exploits holes and vulnerabilities to infiltrate computer systems.
Reduce the Risk of the Watering Hole Attack:
• Constantly update your software and browsers regularly
• Frequently check the software developer’s website for any security patches.
• Engage professionals of IT services provider to manage, remediate and keep your systems up to date.
Watch your network closely:
• Regularly conduct security checks using your network security tools to try and detect suspicious and malicious network activities.
• Observe and monitor user behavior and detect abnormalities that could indicate an attack, such as large transfers of information or a high number of downloads.
Hide your online activities:
• Cybercriminals can create more effective watering hole attacks if they compromise websites you patronize, therefore, hide your online activities with a VPN and your browser’s private browsing feature.
• Block social media sites from your office network, as these are often used as share points of links to infected sites.
Stay Informed:
• Build regular capacity of staff on the risks and vulnerabilities. Cyber-threats continue to evolve, users must always be vigilant and aware of the newest threats.