3rd Party Risk Management
,
Cyberwarfare / Nation-State Attacks
,
Fraud Management & Cybercrime
Microsoft Researchers Link Turkish Spy Group to Output Messenger Zero-Day Hack
Turkish-linked cyber spies used a zero-day exploit housed in a popular chat software to target Kurdish military operations in Iraq, Microsoft Threat Intelligence reported Monday.
See Also: OnDemand | 3 New Ways to Tackle Insider Threats in Government Organizations
Microsoft’s cybersecurity research arm said the threat actor tracked as “Marbled Dust” exploited unpatched user accounts in the Output Messenger Server Manager application, allowing the group to collect user data from targets in Iraq. Researchers said Marbled Dust likely conducted reconnaissance to confirm Kurdish military use of the app before launching the attack.
Marbled Dust is a Turkish-affiliated espionage group that typically targets organizations in Europe and the Middle East, according to the report. The group has previously scanned for known vulnerabilities in internet-facing systems and exploited them to gain initial access, then used compromised DNS registries or registrars to intercept traffic and harvest credentials from government organizations.
The group typically focuses its cyberespionage campaigns against “government institutions and organizations that likely represent counter interests to the Turkish government,” according to the report, along with targets in the telecommunications and IT sectors.
Researchers said the attack signals a notable shift in Marbled Dust’s capabilities, even as the group maintains its typical tactics. The successful use of a zero-day exploit potentially points to greater technical sophistication and could also indicate heightened targeting priorities or more urgent operational goals, according to the report.
The attack chain begins with the group accessing the Output Messenger Server Manager as an authenticated user, then exploiting the vulnerability to drop malicious files into the server’s startup directory. It remains unclear how Marbled Dust gained authentication in each case, though Microsoft believes the group likely used tactics from previous campaigns such as DNS hijacking or typo-squatted domains to intercept and reuse credentials.
In at least one case, a victim’s device running Output Messenger was observed connecting to a Marbled Dust-linked IP address for data exfiltration, coinciding with commands to archive files on the desktop. Microsoft urged organizations to patch Output Messenger, strengthen endpoint protection and apply cloud-based defenses to block credential theft and malware delivery.