Security alert: sophisticated phishing campaign hits Italy

In Italy, considerable malicious activity has been recorded through a particularly sophisticated phishing campaign, attributable to alleged Iranian origins. This attack, primarily targeting local businesses, uses sophisticated techniques to bypass common security systems. The experts of the Red Hot Cyber team, including professionals wishing to remain anonymous, as well as the well-known penetration tester Davide Cavallini, have examined the distinctive elements of this campaign. Apparently harmless emails, but written in impeccable Italian, actually hide a malicious link which, disguised as an urgent need, leads victims to click involuntarily.

Technical analysis reveals the trap

Deepening the investigation, the technicians alerted by an anomalous redirection through JavaScript, discovered the use of an advanced phishing technique, identified as Persistent XSS. The target of this manipulation was a falsified document, simulating a password-protected order. This ingenious ploy specifically exploits a vulnerability reported as CVE-2023-6000 in the Popup Builder plugin. The personal data entered was unknowingly sent to a WordPress server in Iran, highlighting the potential implication of Iranian actors in orchestrating the attack.

Protection from online dangers: practical advice

Faced with such threats, it is essential to take preventative measures to safeguard your online security. For end users, constant training is recommended in order to distinguish suspicious emails and links. Additionally, using up-to-date antivirus and anti-malware solutions proves crucial. As for website owners, it is essential to keep systems, including plugins and libraries, up to date to prevent any exploits resulting from known vulnerabilities.

Potential involvement of APT MuddyWater

Following the shared analysis and thanks to the collaboration in the cybersecurity sector, the suspicion arises that MuddyWater, a well-known Iranian APT group, may be behind this phishing campaign. This entity, active since 2017, is famous for its commitment to cyber espionage and has already demonstrated an interest in targets located not only in the Middle East but also in other regions. It will be of primary importance to continue to monitor the development of this campaign and possibly adopt new defense measures to deal with these increasingly sophisticated threats.