Ballistic Bobcat deploys new backdoor “Sponsor” against unpatched networks
The highly dangerous hacker group Ballistic Bobcat, which originated in Iran, has been attacking organisations in various industries in several countries since September 2021. The majority of the 34 affected businesses are located in Israel, but also in Brazil and the United Arab Emirates. The criminals’ goal: to hijack valuable data in the industrial, financial, media, healthcare and telecommunications sectors. They are using a new backdoor called Sponsor, which was discovered by the team led by ESET researcher Adam Burgher.
How Ballistic Bobcat operates
The hacker group’s approach serves as a prime example of why companies should urgently implement vulnerability management. Ballistic Bobcat ran a so-called “scan exploit campaign”, in which companies are automatically analysed on the internet for unpatched vulnerabilities. In this case, it was the long known vulnerability CVE-2021-26855 in Microsoft Exchange Servers. If this gap was open in organisations, hackers had a foot in the door and could install further malware. As ESET telemetry shows, this has been in use since September 2021.
Adam Burgher assumes that this was not a targeted campaign, but a broadly distributed attack. There are hardly any commonalities among the victims apart from the security vulnerability. Moreover, some organisations did not even possess any worthwhile information for hackers.
Another interesting fact is that Ballistic Bobcat was not the only attacker in the network of almost half of the affected companies. ESET found evidence that other hacker groups had previously exploited the vulnerability for their own purposes.
“Ballistic Bobcat uses a diverse, open-source toolset. This includes a number of custom applications, including Sponsor. Businesses would be well advised to patch all devices with internet access and watch out for new applications appearing in their organisations,” advises Burgher.
Hacking group has been active for some time
Ballistic Bobcat, also known as APT35/APT42 (“Charming Kitten” or PHOSPHORUS), has targeted education, government and health organisations as well as human rights activists and journalists in the past. During the pandemic, organisations that dealt with COVID-19, including the World Health Organisation and Gilead Pharmaceuticals, as well as medical research workers, were particularly targeted.
For more technical information about Ballistic Bobcat and its sponsorship access campaign, see the blog post “Sponsor with whiskers: Ballistic Bobcat’s Scan and Strike Backdoor” on WeLiveSecurity . You can read more about patch management in the ESET blog “The renaissance of patch management”.