Silent Librarian APT in to lime light

The Silent Librarian campaign has actively targeting students and faculty at universities via spear-phishing campaigns.

The threat group (also known as TA407 and Cobalt Dickens), which operates out of Iran, has been on the prowl since the start of the 2019 school year, launching low-volume, highly-targeted, socially engineered emails that eventually trick victims into handing over their login credentials.

The emails typically masquerade as messages from university library systems or other on-campus divisions.

This APT group is going back to school with a fresh campaign that seems to be targeting institutions globally, Targets stretch across a dozen countries and so far have included: The University of Adelaide in Australia; Glasgow Caledonian, University of Kent, University of York, King’s College London, Cambridge and others in the U.K.; the University of Toronto and McGill in Canada; and Stony Brook University, University of North Texas notably.

The mode of operation remains in place, with Silent Librarian hosting a series of phishing sites that are built to mimic legitimate university domains. For instance, emails purporting to be from the University of Adelaide Library directed victims to a “library.adelaide.crev[dot]me” URL, which is very close to the legitimate “library.adelaide.edu.au” domain of the school.

Many of these have been identified and taken down,though the threat actor has sophisticated and built enough of them to continue with a successful campaign against staff and students

The APT is using the Cloudflare content delivery network to host most of the phishing hostnames, in order to hide the real hosting origin.

Considering that Iran is dealing with constant sanctions, it strives to keep up with world developments in various fields, including that of technology . It’s absolute nightmare for IT Admins in schools & University to keep things tight and hold.

Hijacking Firefox

The SSDP engine of the victims’ Firefox browsers can be tricked into triggering an Android intent by simply replacing location of the XML file in the response packets with a specially crafted message pointing to an Android intent URI.

For this, an attacker connected to a targeted Wi-Fi network can run a malicious SSDP server on his/her device and trigger intent-based commands on nearby Android devices through Firefox—without requiring any interaction from the victims.

Activities allowed by the intent also includes automatically launching the browser and open any defined URL, which, according to the researchers, is sufficient to trick victims into providing their credentials, install malicious apps, and other malicious activities based on the surrounding scenarios.

“The target simply has to have the Firefox application running on their phone. They do not need to access any malicious websites or click any malicious links. No attacker-in-the-middle or malicious app installation is required. They can simply be sipping coffee while on a cafe’s Wi-Fi, and their device will start launching application URIs under the attacker’s control,” Moberly said.

“it could have been used in a way similar to phishing attacks where a malicious site is forced onto the target without their knowledge in the hopes they would enter some sensitive info or agree to install a malicious application.”

Moberly reported this vulnerability to the Firefox team a few weeks back, which the browser maker has now patched in the Firefox for Android versions 80 and later.