APT34 Hackers Use Port 8080 for Fake 404 Responses and Shared SSH Keys

APT34 Hackers Use Port 8080 for Fake 404 Responses and Shared SSH Keys
Summary: Researchers have identified potential malicious infrastructure tied to the Iranian threat group APT34, targeting various sectors through impersonation of organizations. This infrastructure, operated primarily on M247 Europe SRL servers, employs tactics such as SSH key reuse and deceptive HTTP responses to mask its intentions. These indicators provide crucial insights for cybersecurity defenders to proactively monitor and disrupt future operations.

Affected: APT34, potentially targeted sectors (education, government, energy, telecom, NGOs)

Keypoints :

  • DNS operations revealed domains impersonating both an Iraqi academic organization and fictitious UK technology firms.
  • The presence of static β€œ404 Not Found” pages and thematic domain patterns indicative of APT34’s previous campaigns.
  • Shared SSH keys and consistent infrastructure characteristics across multiple domains provide a detectable signature for monitoring.
  • No active payloads were found, but the setup of infrastructure indicates careful pre-operational planning by the adversary.
  • Identifying these staging techniques allows defenders to transition from reactive measures to proactive disruption of potential attacks.

Source: https://gbhackers.com/apt34-hackers-use-port-8080-for-fake-404-responses/