Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Iran hackers. Show all posts

Iranian Attackers Exploit Windows Bug to Elevate Privileges

 

The Iranian state-sponsored hacking outfit APT34, dubbed OilRig, has recently escalated its activity by launching new campaigns against government and vital infrastructure entities in the United Arab Emirates and the Gulf area. 

OilRig employed a new backdoor to target Microsoft Exchange servers and steal passwords, as well as exploiting the Windows CVE-2024-30088 vulnerabilities to escalate their privileges on affected devices, according to Trend Micro researchers. In addition to the activity, FOX Kitten, another Iran-based APT outfit involved in ransomware attacks, and OilRig have been linked by Trend Micro. 

The attacks observed by Trend Micro start with the exploitation of an unprotected web server to upload a web shell, enabling the hackers to execute remote code and PowerShell commands. Once the web shell is activated, OilRig uses it to launch additional tools, including a component that exploits the Windows CVE-2024-30088 bug. 

CVE-2024-30088 is a high-severity privilege escalation vulnerability that Microsoft patched in June 2024, allowing attackers to elevate their privileges to the SYSTEM level and gain significant control over the compromised devices. 

Microsoft has identified a proof-of-concept exploit for CVE-2024-30088, although it hasn't yet disclosed on its security portal that the vulnerability is being actively exploited. Furthermore, CISA has not listed it as having been previously exploited in its catalogue of known exploited vulnerabilities.

Following a password change event, OilRig downloads and installs 'ngrok,' a remote monitoring and management application that enables covert communications via secure tunnels. This allows the tool to intercept plaintext credentials. 

The use of on-premise Microsoft Exchange servers by threat actors as a means of credential theft and sensitive data exfiltration through fake, difficult-to-identify email traffic is another novel strategy. 

The exfiltration is accomplished using a new backdoor known as 'StealHook,' and Trend Micro claims that government infrastructure is frequently employed as a pivot point to make the operation appear authentic. 

"The key objective of this stage is to capture the stolen passwords and transmit them to the attackers as email attachments," notes Trend Micro in the report. "Additionally, we observed that the threat actors leverage legitimate accounts with stolen passwords to route these emails through government Exchange Servers.”

UK and US Warn of Rising Iranian Spear Phishing Threat

 

The UK’s National Cyber Security Centre (NCSC) collaborated with government agencies across the Atlantic to issue a new alert regarding Iranian cyber-threats last week. 

The security advice, issued in collaboration with the FBI, US Cyber Command - Cyber National Mission Force (CNMF), and the Department of the Treasury (Treasury), claimed that Iran's Islamic Revolutionary Guard Corps (IRGC) was behind the spear phishing attack. 

The campaign is aimed at individuals "with a nexus to Iranian and Middle Eastern affairs," but it is also focused on US political campaigns, with the ultimate goal of expanding its information operations, the advice stated. Current or former top government officials, think tank personnel, journalists, activists, and lobbyists seem to be potential targets. 

Threat actors change their strategies according to the specific target, which could involve impersonating family members, professional contacts, prominent journalists, and/or email providers. The lure may be an interview, an invitation to a conference or embassy event, a speaking engagement, or another political or foreign policy dialogue. 

“The actors often attempt to build rapport before soliciting victims to access a document via a hyperlink, which redirects victims to a false email account login page for the purpose of capturing credentials,” the report reads. 

“Victims may be prompted to input two-factor authentication codes, provide them via a messaging application, or interact with phone notifications to permit access to the cyber actors. Victims sometimes gain access to the document but may receive a login error.” 

Prevention tips

The advisory advised readers to be suspicious of unsolicited contact, attempts to send links or files via social media and other online services, email messages flagging alerts for online accounts, emails purporting to be from legitimate services and shortened links. It also recommended enterprises to:

  • Implement a user training program for phishing awareness.
  • Recommend users only use work emails for official business, always keep software updated, switch on multi-factor authentication, and never click on links or open attachments in unsolicited emails.
  • Users are recommended to use advanced protection services and hardware security keys. 
  • Switch on anti-phishing and spoofing security features. 
  • Block automatic email forwarding to external addresses.
  • Monitor email servers for changes to configuration and custom rules.

Iranian Hackers Use New C2 Tool 'DarkBeatC2' in Recent Operation

 

MuddyWater, an Iranian threat actor, has used a novel command-and-control (C2) infrastructure known as DarkBeatC2 in its the most recent attack. This tool joins a list of previously used systems, including SimpleHarm, MuddyC3, PhonyC2, and MuddyC2Go.

In a recent technical study, Deep Instinct security researcher Simon Kenin stated that, despite periodic modifications in remote administration tools or changes in C2 frameworks, MuddyWater's strategies consistently follow a pattern.

MuddyWater, also known as Boggy Serpens, Mango Sandstorm, and TA450, is linked to Iran's Ministry of Intelligence and Security (MOIS) and has been operational since at least 2017. The group orchestrates spear-phishing attacks, which result in the installation authorised Remote Monitoring and Management (RMM) solutions on compromised systems. 

Prior intelligence from Microsoft connects the group to another Iranian threat cluster known as Storm-1084 (also known as DarkBit), which has been involved in devastating wiper assaults against Israeli entities.

The latest attack, which Proofpoint revealed last month, starts off with spear-phishing emails sent from compromised accounts. These emails include links or attachments hosted on services such as Egnyte, which facilitate the distribution of the Atera Agent software.

One of the URLs used is "kinneretacil.egnyte[.]com," with the subdomain "kinneretacil" referring to "kinneret.ac.il," an Israeli educational institution. 

Lord Nemesis (also known as Nemesis Kitten or TunnelVision) targeted a Rashim customer's supply chain. Lord Nemesis, who is accused of orchestrating operations against Israel, is employed by Najee Technology, a private contracting company linked to Iran's Islamic Revolutionary Guard Corps (IRGC). 

Kenin underlined the possible consequences of Rashim's breach, claiming that Lord Nemesis might have exploited the compromised email system to target Rashim's customers, giving the phishing emails a veneer of authenticity.

Although solid proof is missing, the timing and context of events indicate a possible coordination between the IRGC and MOIS to cause serious harm to Israeli entities.

Notably, the attacks leverage a collection of domains and IP addresses known as DarkBeatC2 to manage compromised endpoints. This is done using PowerShell code that creates communication with the C2 server after initial access. 

According to independent research by Palo Alto Networks Unit 42, MuddyWater used the Windows Registry's AutodialDLL function to sideload a malicious DLL and make connections with DarkBeatC2 domains.

This method entails creating persistence via a scheduled task that uses PowerShell to exploit the AutodialDLL registry entry and load the DLL for the C2 framework. MuddyWater's other approaches include sending a first-stage payload via spear-phishing emails and using DLL side-loading to execute malicious libraries. 

Upon successful communication, the infected machine receives PowerShell responses and downloads two further PowerShell scripts from the server. One script reads the contents of a file called "C:\ProgramData\SysInt.log" and sends them to the C2 server via an HTTP POST request, while the second script polls the server on a regular basis for new payloads. The particular nature of the subsequent payload is unknown, but Kenin emphasised that PowerShell remains critical to MuddyWater's operations.

Iranian APT34 Employs Menorah Malware for Covert Operations

 

In a recent cyber espionage operation, suspected Iranian hackers infected their targets with the newly discovered Menorah Malware, according to a report released on Friday. 

APT34, also known as OilRig, Cobalt Gypsy, IRN2, and Helix Kitten, is believed to have its headquarters in Iran. Since at least 2014, it has targeted Middle Eastern nations, primarily concentrating on governmental institutions and companies in the finance, oil, chemical, and telecommunications industries. 

Researchers from Trend Micro claim that in August, the hackers infected targets suspected to be headquartered in Saudi Arabia with the Menorah malware via a series of phishing emails.

The malware designed by the group is intended for cyber espionage; it has the ability to download files to the system, run shell commands, and upload particular files from a compromised device.

The SideTwist backdoor, which the organisation had previously utilised, is said to be similar to the new malware created by APT34. But the new version is more complex and more difficult to spot. 

“APT34 is in continuous-development mode, changing up and trying which routines and techniques will work,” the researchers explained. 

A tiny portion of data regarding the victims targeted by APT34 was discovered by Trend Micro during the investigation. They impersonated the Seychelles Licensing Authority in their phishing emails by using a fake file registration form.

According to the investigation, the target victim was probably based in Saudi Arabia because this document included price information in Saudi Arabian currency. 

APT34 has a history of taking part in prominent cyberattacks on numerous targets in the Middle East. A government official in Jordan's foreign ministry was the target of Saitama's backdoor last year. The gang attacked a number of Middle Eastern banks in 2021. 

“This group operates with a high degree of sophistication and seemingly vast resources, posing a significant cybersecurity challenge regionally and beyond,” the researchers added. "Organisations should regularly alert their staff to the numerous techniques that attackers use to target systems, confidential information, and personal information."

Iranian Attackers Employ Novel Moneybird Ransomware to Target Israeli Organizations

 

A new ransomware variant called "Moneybird" is currently being used by the threat actor "Agrius," which is thought to be funded by the Iranian government, to target Israeli organisations.

Since at least 2021, Agrius has been using various identities to deliberately target organisations in Israel and the Middle East while using data wipers in disruptive attacks. 

Researchers from Check Point who found the new ransomware strain believe that Agrius created it to aid in the growth of their activities, and that the threat group's use of "Moneybird" is just another effort to hide their footprints.

Modus operandi

According to Check Point researchers, threat actors first acquire access to company networks by taking advantage of flaws in servers that are visible to the public, giving Agrius its first network footing. 

The hackers then conceal themselves behind Israeli ProtonVPN nodes to launch ASPXSpy webshell variations concealed inside "Certificate" text files, a strategy Agrius has employed in the past. 

After deploying the webshells, the attackers employ open-source tools to move laterally, communicate securely using Plink/PuTTY, steal credentials using ProcDump, and exfiltrate data using FileZilla. These tools include SoftPerfect Network Scanner, Plink/PuTTY, ProcDump, and ProcDump.

The Moneybird ransomware executable is obtained by Agrius in the subsequent stage of the attack through reliable file hosting services like 'ufile.io' and 'easyupload.io.'

The C++ ransomware strain will encrypt target files using AES-256 with GCM (Galois/Counter Mode), creating distinct encryption keys for each file and appending encrypted metadata at their conclusion. This process begins immediately after the target files are launched.

In the instances observed by Check Point, the ransomware only targeted "F:User Shares," a typical shared folder on business networks used to hold company records, databases, and other items pertaining to collaboration.

This focused targeting suggests that Moneybird is more interested in disrupting business than in locking down the affected machines. 

Since the private keys used to encrypt each file are produced using information from the system GUID, file content, file path, and random integers, Check Point argues that data restoration and file decryption would be incredibly difficult.

Following the encryption, ransom notes are left on the affected systems, advising the victim to click the provided link within 24 hours for instructions on data recovery. 

"Hello WE ARE MONEYBIRD! All of your data encrypted! If u want you to restore them follow this link with in 24H," reads the Moneybird ransom note. 

Moneybird is thought to be ransomware, not a wiper, in contrast to earlier assaults connected to Agrius, and it is intended to generate money to support the threat actors' nefarious activities. 

However, in the case observed by Check Point Research, the ransom demand was so high that it was understood from the beginning that a payment would probably not be made, effectively rendering the attack harmful. 

"Yes negotiations could be possible but the demand was extremely high, which leads us to believe that it’s part of the trick. They knew no one would pay so the damage and data leaked was expected. It was not a wiper," stated Eli Smadga, Research Group Manager at Check Point Research.

An easy-to-use but powerful ransomware 

According to Check Point, Moneybird depends on an embedded configuration blob rather than command-line parsing, which would enable victim-specific customizations and increased deployment flexibility.

Because the ransomware's behaviour parameters are pre-defined and difficult to customise for each target or situation, the strain is inappropriate for mass marketing efforts. 

But for Agrius, Moneybird remains a powerful instrument for business disruption, and future advancements that result in the release of newer, more powerful versions may make it a serious danger to a wider variety of Israeli organisations.

Albanian President Holds Meeting with NSC Over Iran Cyber Attacks Led by HomeLand Justice

 

In the wake of the ongoing cyber attacks led by hackers group HomeLand Justice, the Albanian President Bajram Begaj recently held a meeting with the National Security Council (NSC) in the Albanian capital, Tirana on 10th October, Monday. The meeting, attended by senior government officials was conducted in order to discuss the issue of persistent cyberattacks, carried out against state infrastructure by Iran. 

The meeting was attended by Albanian Prime Minister Edi Rama, Prosecutor General Olsjan Çela, Director General of Police Muhamet Rrumbullaku, Chairman of the Security Commission Nasip Naço, and senior intelligence officials. 

The threat actors referred to as HomeLand Justice is a hacker group sponsored by the Iranian government’s advanced persistent threat (ATP) actors. The hackers attempted to paralyse public services, and delete and steal governmental data, disrupting the government’s websites and services, which created a nuisance in the state. 

Earlier this year, in July, HomeLand Justice took to social media, demonstrating the attack pattern of advertising the Albanian Government about the leaks, and posting polls asking the viewers to select the hacked information they want to be published.  

A similar attack was launched in September against the Albanian government, possibly instigated in retaliation for public attribution of the previous attacks, it severed diplomatic ties between the governments of Iran and Albania. 

Over the weekend, threat actors published the hacked data pertaining to employees of the State Police on the Telegram channel operated by Homeland Justice. The leaked data involved names, personal information and photographs, ID numbers, age, name, and photo. 

Although not much information has been provided about the meeting that lasted for two hours, Finance Minister Delina Ibrahimaj briefed about the meeting in an unrelated press conference. 

“In fact, it is the role of the president to call the national security committee on various issues. We discussed the current issues of cyber attacks. Each institution reported on the measures taken, on the level of impact and on the measures that will be taken in the future to cope with the situation”, stated Delina. 

The National Security Council was last addressed on 14th February 2022 by former president Ilir Meta in regard to Russia-Ukraine tensions.

Iranian APT42 Launched Over 30 Espionage Attacks Across 14 Nations

 

Cybersecurity firm Mandiant has attributed over 30 cyber espionage attacks against activists and dissidents to the state-backed Iranian threat group APT42 (formerly UNC788) with activity dating back to 2015, at least. 

Based on APT42’s activities, the researchers believe the hacking group operates on behalf of the Islamic Revolutionary Guard Corps Intelligence Organization (IRGC-IO), not to mention shares partial overlaps with another Iran-linked APT group tracked as APT35 (aka Charming Kitten, Phosphorus, Newscaster, and Ajax Security Team). 

The APT group has targeted multiple industries such as non-profits, education, governments, healthcare, legal, manufacturing, media, and pharmaceuticals spanning across 14 nations, including in Australia, Europe, the Middle East, and the U.S. 

“APT42 activity poses a threat to foreign policy officials, commentators, and journalists, particularly those in the US, the UK, and Israel, working on Iran-related projects,” reads the report published by Mandiant. "Additionally, the group’s surveillance activity highlights the real-world risk to individual targets of APT42 operations, which include Iranian dual-nationals, former government officials, and dissidents both inside Iran and those who previously left the country, often out of fear for their personal safety.” 

The Iranian hackers are primarily focused on cyber-espionage, employing highly targeted spear-phishing and social engineering methodologies to access personal and corporate email accounts, or to deploy Android malware on mobile devices. 

The APT group also has the capability of siphoning two-factor authentication codes to circumvent more secure authentication methods, and sometimes leverages this access to target employers, colleagues, and relatives of the initial victim. However, while credential theft is favored, the group has also deployed multiple custom backdoors and lightweight tools to target firms. 

Last year in September, the Iranian hackers accessed a European government email account and exploited it to send a phishing email to nearly 150 email addresses linked with individuals or entities employed by or associated with civil society, government, or intergovernmental organizations across the globe. The phishing mail embedded a Google Drive link to a malicious macro document leading to TAMECAT, a PowerShell toehold backdoor. 

Additionally, the researchers have uncovered multiple similarities in “intrusion activity clusters” between APT42 and another Iran-linked hacking group, UNC2448, which has been known in the past to scan for vulnerabilities and even deploy BitLocker ransomware. 

“While Mandiant has not observed technical overlaps between APT42 and UNC2448, the latter may also have ties to the IRGC-IO,” Mandiant explained. "We assess with moderate confidence that UNC2448 and the Revengers Telegram persona are operated by at least two Iranian front companies, Najee Technology and Afkar System, based on open-source information and operational security lapses by the threat actors.”

Iranian Attackers are Employing a New DNS Hijacking Malware to Target Organizations

 

The Iran-linked Lycaeum cyber espionage group, also known as Hexane or Spilrin, group is employing a new .NET-based DNS backdoor to target firms in the energy and telecommunication sectors.

Lyceum has previously targeted communication service vendors in the Middle East via DNS-tunneling backdoors. 

According to analytics from Zscaler ThreatLabz researchers, the backdoor is based on a DIG.net open-source tool to launch "DNS hijacking" assaults – DNS query manipulation to redirect users to malicious clones of authentic sites – implement commands, drop payloads, and exfiltrate data. 

 Employs Word doc 

The hackers target organizations via macro-laced Microsoft Documents downloaded from a domain named "news-spot[.]live," impersonating a legitimate site. The document is masked as a news report with an Iran Military affairs topic. 

When a victim downloads the file from this site, it asks to enable the macro to view the content. After enabling macros, the DnsSystem.exe backdoor is the DNS backdoor is dropped directly onto the Startup folder for establishing persistence between reboots. 

"The threat actors have customized and appended code that allows them to perform DNS queries for various records onto the custom DNS Server, parse the response of the query to execute system commands remotely, and upload/download files from the Command & Control server by leveraging the DNS protocol." - Zscaler researchers Niraj Shivtarkar and Avinash Kumar explained in a report published last week.

Initially, the malware sets up the DNS hijacking server by securing the IP address of the "cyberclub[.]one" domain and generates an MD5 based on the victim's username to serve as a unique victim ID. Additionally, the malware is well trained to upload and download arbitrary files to and from the remote server as well as implement malicious system commands remotely on the exploited server.

 Evolution of Lyceum 

The Lyceum APT group was first spotted at the beginning of August 2019 attempting to secure access to the organization’s systems via password spraying or brute-force attacks. 

Lyceum primarily focuses on cyber espionage, and this new stealthy and potent backdoor is evidence of its evolution in the field. The Iranian group is expected to continue participating in these data theft campaigns that often include multiple hacking groups from the country. 

"APT threat actors are continuously evolving their tactics and malware to successfully carry out attacks against their targets," the researchers stated. "Attackers continuously embrace new anti-analysis tricks to evade security solutions; re-packaging of malware makes the static analysis even more challenging."

U.S. Cyber Command Officially Links MuddyWater Gang to Iranian Intelligence

 

The US military's Cyber Command on Wednesday officially tied the Iranian-backed MuddyWatter hacking group to Iran's Ministry of Intelligence and Security (MOIS).

According to Cyber Command, the hacking group was first identified in 2017 and is a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS), which is involved in both domestic surveillance operations and the targeting of a wide spectrum of entities in governments, academia, cryptocurrency, telecommunications, and oil sectors in the Middle East.

"MuddyWater is an Iranian threat group; previously, the industry has reported that MuddyWater has primarily targeted Middle Eastern nations, and has also targeted European and North American nations," Cyber Command said in a statement.

On Twitter, Cyber Command said the malicious group was employing a suite of malware for espionage and malicious activity. "MOIS hacker group MuddyWater is using open-source code for malware," it said. "MuddyWater and other Iranian MOIS APTs are using DNS tunneling to communicate to its C2 infrastructure; if you see this on your network, look for suspicious outbound traffic."

In partnership with the FBI, USCYBERCOM's Cyber National Mission Force (CNMF) has also shared multiple malware samples of PowGoop, a DLL loader designed to decrypt and run a PowerShell-based malware downloader. Five of the files that CYBERCOM has uploaded to VirusTotal this week aren’t identified as malicious by any of the antivirus engines in the scanning service, while six others have very low detection rates.

"If you see a combination of these tools, Iranian MOIS actor MuddyWater may be in your network. MuddyWater has been seen using a variety of techniques to maintain access to victim networks," the US military command added. "These include side-loading DLLs in order to trick legitimate programs into running malware and obfuscating PowerShell scripts to hide command and control functions."

Last year in November, cyber authorities across the US, UK, and Australia attributed attacks exploiting loopholes in Fortinet and Exchanges to Iranian-backed attackers. Rather than targeting a particular sector of the economy, the malicious actors were simply focused on exploiting the vulnerabilities wherever possible; following the operation, they then attempted to turn that initial access into data exfiltration, a ransomware attack, or extortion.

Iran's Mahan Airline Targeted in Cyber Attack

 

A cyber-attack against Iran's second-largest airline, Mahan Air has been thwarted, Iranian media reported on Sunday, adding that the airliner's flight schedule was not impacted by the cyber assault.

"Mahan Air's computer system has suffered a new attack. It has already been the target on several occasions due to its important position in the country's aviation industry. Our internet security team is thwarting the cyberattack," airline spokesman Amir-Hossein Zolanvari told state television. 

According to the Daily Sabah, following the attack passengers could not access the airline’s website for hours displaying an error message saying the site couldn’t be reached. Additionally, many customers of Mahan Air across Iran received strange text messages from a group called Hoosyarane-Vatan, claiming to have carried out the attack. 

“We believe the public deserves to know the truth behind this cooperation and the money wasted on IRGC activities abroad while Iranian people suffer at home,” the hacking group said in a statement on the Telegram messaging app. 

Being an Iranian airline, Mahan Air has often found itself in the middle of a political storm. The carrier has been under US sanctions since 2011 for allegedly providing support to the Quds Force and has been associated with alleged shipments of arms from Iran to Shiite groups in Syria, including the Hezbollah terror group. Alleged Israeli airstrikes in Syria have been thought to target Mahan Air weapons shipments in the past. 

“Mahan Air has transported IRGC-QF operatives, weapons, equipment, and funds abroad in support of the IRGC-QF’s regional operations, and has also moved weapons and personnel for Hezbollah,” US Treasury stated in 2019. 

Iran, last month, accused Israel and the United States of a cyberattack on its gas stations that resulted in havoc at fuel pumps nationwide. Iranian President Ebrahim Raisi blamed the hack on anti-Iranian forces seeking to sow disorder and disruption across the nation. 

Days later, Israel's internet infrastructure was targeted by the Iranian Black Shadow hacking group, including against the largest Israeli LGBTQ dating site and an insurance firm. In July, the website of Iran's transport ministry was crippled by what state media said was a "cyber disruption" that caused delays in train services.

Iranian Hackers Attacked Websites of an African Bank and US Federal Library

 

According to Iran Briefing, hackers posing as Iranians targeted the websites of the Sierra Leone Commercial African Bank and the United States Federal Depository Library Program, by posting pro-Iranian remarks and graphics. 

The website of Sierra Leone Commercial Bank was found to be "H4ck3D IRANIAN HACKER" in Google search results. 

The words "hacked by Iranian hacker, hacked by shield Iran" were written in Twitter screenshots on a drawing of former IRGC Quds Force commander Qasem Soleimani, who was killed in a US airstrike. 

According to CBC News, the library program's website was updated with a bloodied picture of US President Donald Trump being punched in the face, as well as a message is written in Farsi and English that read "martyrdom was Soleimani's... reward for years of implacable efforts," and another caption that read "this is only a small part of Iran's cyber ability!" 

A spokesman from the US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency verified the incident. Though the hack has still proven to be the activity of Iranian state-sponsored actors. 

The representative stated, “We are aware the website of the Federal Depository Library Program [FDLP] was defaced with pro-Iranian, anti-US messaging”. 

“At this time, there is no confirmation that this was the action of Iranian state-sponsored actors”. 

The website has been removed from the internet and is no longer accessible. In coordination with the FDLP and other government partners, the Cybersecurity and Infrastructure Security Agency (CISA) is keeping an eye on the situation. 

According to another senior US official, the defacement was a minor event carried out by Iranian sympathizers. Former US Secretary of State Mike Pompeo indicated at the time that a cyberattack by Iran against the US could be a possible retaliation. 

It's unclear whether the hackers had a government position or had any connection to Iran. The hack occurs at a time when tensions between the US and Iran are still high following the assassination of Qasem Soleimani, the chief of Iran's Revolutionary Guards Corps Quds Force, by a US strike in Baghdad on Jan. 2. 

Iran has already threatened retaliation for the assassination, implying that US assets and interests in the Middle East, as well as US allies, may be targeted.