Iranian hacker group spies on companies

September 11, 2023

Ballistic Bobcat deploys new backdoor “Sponsor” against unpatched networks

The highly dangerous hacker group Ballistic Bobcat, which originated in Iran, has been attacking organisations in various industries in several countries since September 2021. The majority of the 34 affected businesses are located in Israel, but also in Brazil and the United Arab Emirates. The criminals’ goal: to hijack valuable data in the industrial, financial, media, healthcare and telecommunications sectors. They are using a new backdoor called Sponsor, which was discovered by the team led by ESET researcher Adam Burgher.

How Ballistic Bobcat operates

The hacker group’s approach serves as a prime example of why companies should urgently implement vulnerability management. Ballistic Bobcat ran a so-called “scan exploit campaign”, in which companies are automatically analysed on the internet for unpatched vulnerabilities. In this case, it was the long known vulnerability CVE-2021-26855 in Microsoft Exchange Servers. If this gap was open in organisations, hackers had a foot in the door and could install further malware. As ESET telemetry shows, this has been in use since September 2021.
Adam Burgher assumes that this was not a targeted campaign, but a broadly distributed attack. There are hardly any commonalities among the victims apart from the security vulnerability. Moreover, some organisations did not even possess any worthwhile information for hackers.
Another interesting fact is that Ballistic Bobcat was not the only attacker in the network of almost half of the affected companies. ESET found evidence that other hacker groups had previously exploited the vulnerability for their own purposes.
“Ballistic Bobcat uses a diverse, open-source toolset. This includes a number of custom applications, including Sponsor. Businesses would be well advised to patch all devices with internet access and watch out for new applications appearing in their organisations,” advises Burgher.

Hacking group has been active for some time

Ballistic Bobcat, also known as APT35/APT42 (“Charming Kitten” or PHOSPHORUS), has targeted education, government and health organisations as well as human rights activists and journalists in the past. During the pandemic, organisations that dealt with COVID-19, including the World Health Organisation and Gilead Pharmaceuticals, as well as medical research workers, were particularly targeted.
For more technical information about Ballistic Bobcat and its sponsorship access campaign, see the blog post “Sponsor with whiskers: Ballistic Bobcat’s Scan and Strike Backdoor” on WeLiveSecurity . You can read more about patch management in the ESET blog “The renaissance of patch management”.

Related Articles

Infineon: Roadmap for power supply units in AI data centers

Infineon: Roadmap for power supply units in AI data centers

Artificial intelligence leads to increasing energy demand of data centers worldwide Infineon’s new Power Supply Units (PSU) strengthen its leading position in AI power supply based on Si, SiC and GaN Operators of AI data centers benefit from the world's first 12 kW...

SITA unveils latest evolution in total airport management

SITA unveils latest evolution in total airport management

Launch of the new AI-powered platform follows a successful demonstration in 2023 with Canada’s Greater Toronto Airports Authority SITA, a leading technology company in the air transport industry, has launched its trailblazing airport management tool, the SITA Airport...

Share This