Azerbaijan Government CERT investigates cyberattack activities targeting Azerbaijan’s energy sector by China-linked APT group

It is reported that the Chinese state-linked APT (Advanced Persistent Threat) group known as FamousSparrow conducted a multi-stage cyberattack against one of the companies operating in Azerbaijan’s oil and gas sector.

The Computer Emergency Response Center (Azerbaijan Government CERT) of the Special Communication and Information Security State Service of the Republic of Azerbaijan conducted indicator-based threat intelligence and technical investigations regarding the identified cyber threat activities 

It was determined that the threat actors gained initial access by exploiting the ProxyShell and ProxyNotShell vulnerabilities affecting the Microsoft Exchange Server platform. Following the compromise, web shells were deployed on the targeted systems to establish persistent access. In subsequent stages, the execution of malicious software identified as Deed RAT and TernDoor was observed through the use of DLL sideloading techniques.

Within the scope of the investigation, security assessments were conducted regarding file hashes, domains, URLs and other indicators of compromise associated with FamousSparrow activities. Potential signs of compromise were evaluated through hash-based analysis, while relevant queries associated with domain indicators were carried out across the “AzStateNet” network infrastructure.

As a result of the implemented response measures, blocking actions were applied against malicious domains associated with the attack activity and the necessary restrictions were enforced across relevant security systems.

In addition, based on the obtained IOC indicators, the relevant institutions were advised to conduct retrospective and real-time monitoring activities related to the identified indicators, perform indicator-based investigations across government email service, SIEM, EDR/XDR, firewall, proxy and DNS logs, and carry out additional analysis of Microsoft Exchange infrastructure and authentication records. The institutions were also recommended to investigate suspicious outbound connections and anomalous activities, provide operative information to the relevant authorities in the event of compromise indicators being identified and conduct investigations related to the domains sentinelonepro[.]com:443 and virusblocker[.]it[.]com:443.

The Center continues monitoring and threat intelligence activities aimed at protecting critical information infrastructures against cyber threats, ensuring the timely detection of potential attack activities and implementing preventive security measures.