Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Iran. Show all posts
Iran
Advanced Persistent Threat APT APT 32 APT actors APT attacks APT Campaigns APT Group APT27 APT34 APT43 Cyber Security Cybercriminal Tactics Iran

Analysing Advanced Persistent Threats 2023: Tactics, Targets, and Trends

 

The term "Advanced Persistent Threat" (APT) denotes a highly specialised category of cyber adversaries within the field of cybersecurity. These entities distinguish themselves through advanced skill sets and substantial access to resources, often employing sophisticated tools and techniques. APTs typically exhibit state sponsorship, indicating either direct or indirect government support or intricate ties to organized crime syndicates. 

This connection to state actors or criminal groups grants them a level of persistence and capability that far exceeds that of conventional cybercriminals. In 2023, the cybersecurity landscape has witnessed the persistent activity of several Advanced Persistent Threat (APT) groups, with attributions largely pointing to nation-states, notably Iran and China. These sophisticated entities operate at the forefront of cyber capabilities, employing advanced tactics, techniques, and procedures. Their activities extend beyond conventional cybercriminal motives, often involving strategic objectives tied to geopolitical influence, military espionage, or the compromise of critical infrastructure. As the year unfolds, the vigilance of cybersecurity experts remains crucial in monitoring and responding to the evolving tactics employed by these APT groups, reflecting the ongoing challenge of safeguarding against state-sponsored cyber threats.  

Here’s a summary of some of the most active and prominent APT Groups as of 2023:  

1) APT39  

APT39, believed to be associated with Iran, has emerged as a notable player in the cyber threat landscape in 2023. This advanced persistent threat group strategically directs its efforts towards the Middle East, with a specific focus on key sectors such as telecommunications, travel, and information technology firms. APT39 employs a sophisticated arsenal of cyber tools, including the use of SEAWEED and CACHEMONEY backdoors, along with spearphishing techniques for initial compromise. 

2) APT35 

APT35, believed to be affiliated with Iran, has solidified its position as a significant threat in 2023, honing its focus on military, diplomatic, and government personnel across the U.S., Western Europe, and the Middle East. Employing a sophisticated toolkit that includes malware such as ASPXSHELLSV and BROKEYOLK, the group employs a multifaceted approach, leveraging spearphishing and password spray attacks to infiltrate target networks. APT35's strategic interests span various sectors, encompassing U.S. and Middle Eastern military, diplomatic and government personnel, as well as organizations in the media, energy, defense industrial base (DIB), and the engineering, business services, and telecommunications sectors.  

3) APT41 

APT41, believed to be linked to China, continues to pose a significant cyber threat in 2023, targeting a diverse range of sectors including healthcare, telecommunications, high-tech, education, and news/media. Renowned for employing an extensive arsenal of malware and spear-phishing tactics with attachments, APT41 demonstrates a multifaceted approach, engaging in both state-sponsored espionage and financially motivated activities. Researchers have identified APT41 as a Chinese state-sponsored espionage group that has also ventured into financially motivated operations. Active since at least 2012, the group has been observed targeting industries such as healthcare, telecom, technology, and video games across 14 countries. APT41's activities overlap, at least partially, with other known threat groups, including BARIUM and Winnti Group, underscoring the complexity and interconnected nature of cyber threats associated with this sophisticated actor.  

4) APT40 

APT40, associated with China, maintains a strategic focus on countries crucial to China's Belt and Road Initiative, with a particular emphasis on the maritime, defense, aviation, and technology sectors. Notably active in 2023, APT40 employs a diverse range of techniques for initial compromise, showcasing their sophisticated capabilities. These methods include web server exploitation, phishing campaigns delivering both publicly available and custom backdoors, and strategic web compromises. APT40's modus operandi involves the utilization of compromised credentials to access connected systems and conduct reconnaissance. The group further employs Remote Desktop Protocol (RDP), Secure Shell (SSH), legitimate software within victim environments, an array of native Windows capabilities, publicly available tools, and custom scripts to facilitate internal reconnaissance. This comprehensive approach highlights APT40's adaptability and underscores the persistent and evolving nature of cyber threats in the geopolitical landscape. 

5) APT31 

Focused on government entities, international financial organizations, aerospace, and defense sectors, among others, APT31, also known as Zirconium or Judgment Panda, stands out as a formidable Advanced Persistent Threat group with a clear mission likely aligned with gathering intelligence on behalf of the Chinese government. Operating in 2023, APT31 exhibits a strategic approach, concentrating on exploiting vulnerabilities in applications like Java and Adobe Flash to achieve its objectives. Similar to other nation-state actors, the group's primary focus is on acquiring data relevant to the People's Republic of China (PRC) and its strategic and geopolitical ambitions. The group's activities underscore the ongoing challenge of safeguarding sensitive information against sophisticated state-sponsored cyber threats. 

6) APT30 

APT30, believed to be associated with China, distinguishes itself through its noteworthy focus on long-term operations and the infiltration of air-gapped networks, specifically targeting members of the Association of Southeast Asian Nations (ASEAN). Employing malware such as SHIPSHAPE and SPACESHIP, this threat actor utilizes spear-phishing techniques to target government and private sector agencies in the South China Sea region. Notably, APT30's objectives appear to lean towards data theft rather than financial gain, as they have not been observed targeting victims or data that can be readily monetized, such as credit card information or bank credentials. Instead, the group's tools demonstrate functionality tailored for identifying and stealing documents, with a particular interest in those stored on air-gapped networks. APT30 employs decoy documents on topics related to Southeast Asia, India, border areas, and broader security and diplomatic issues, indicating a strategic approach to lure in and compromise their intended targets in the geopolitical landscape. 

7) APT27 

APT27 believed to be operating from China, is a formidable threat actor specializing in global intellectual property theft across diverse industries. Employing sophisticated malware such as PANDORA and SOGU, the group frequently relies on spear-phishing techniques for initial compromise. APT27 demonstrates versatility in deploying a wide array of tools and tactics for its cyberespionage missions. Notably, between 2015 and 2017, the group executed watering hole attacks through the compromise of nearly 100 legitimate websites to infiltrate victims' networks. Targeting sectors including government, information technology, research, business services, high tech, energy, aerospace, travel, automotive, and electronics, APT27 operates across regions such as North America, South-East Asia, Western Asia, Eastern Asia, South America, and the Middle East. The group's motives encompass cyberespionage, data theft, and ransom, employing a diverse range of malware including Sogu, Ghost, ASPXSpy, ZxShell RAT, HyperBro, PlugX RAT, Windows Credential Editor, and FoundCore. 

8) APT26 

APT26, suspected to have origins in China, specializes in targeting the aerospace, defense, and energy sectors. Recognized for its strategic web compromises and deployment of custom backdoors, this threat actor's primary objective is intellectual property theft, with a specific focus on data and projects that provide a competitive edge to targeted organizations within their respective fields. The group's tactics involve the utilization of associated malware such as SOGU, HTRAN, POSTSIZE, TWOCHAINS, and BEACON. APT26 employs strategic web compromises as a common attack vector to gain access to target networks, complementing their approach with custom backdoors deployed once they penetrate a victim's environment.  

9) APT25 

APT25, also recognized as Uncool, Vixen Panda, Ke3chang, Sushi Roll, and Tor, is a cyber threat group with suspected ties to China. The group strategically targets the defense industrial base, media, financial services, and transportation sectors in both the U.S. and Europe. APT25's primary objective is data theft, and its operations are marked by the deployment of associated malware such as LINGBO, PLAYWORK, MADWOFL, MIRAGE, TOUGHROW, TOYSNAKE, and SABERTOOTH. Historically, the group has relied on spear-phishing techniques in its operations, incorporating malicious attachments and hyperlinks in deceptive messages. APT25 actors typically refrain from using zero-day exploits but may leverage them once they become public knowledge. The group's consistent focus on targeted sectors and methods underscores its persistence and intent to pilfer sensitive information from key industries in the U.S. and Europe. 

10) APT24 

APT24, also known as PittyTiger and suspected to have origins in China, conducts targeted operations across a diverse array of sectors, including government, healthcare, construction, mining, nonprofit, and telecommunications industries. The group has historically targeted organizations in countries such as the U.S. and Taiwan. APT24 is distinguished by its use of the RAR archive utility to encrypt and compress stolen data before exfiltration from the network. Notably, the stolen data primarily consists of politically significant documents, indicating the group's intention to monitor the positions of various nation-states on issues relevant to China's ongoing territorial or sovereignty disputes. Associated malware utilized by APT24 includes PITTYTIGER, ENFAL, and TAIDOOR. The group employs phishing emails with themes related to military, renewable energy, or business strategy as lures, and its cyber operations primarily focus on intellectual property theft, targeting data and projects that contribute to an organization's competitiveness within its field. 

11) APT23 

APT23, suspected to have ties to China, directs its cyber operations towards the media and government sectors in the U.S. and the Philippines, with a distinct focus on data theft of political and military significance. Unlike other threat groups, APT23's objectives lean towards traditional espionage rather than intellectual property theft. The stolen information suggests a strategic interest in political and military data, implying that APT23 may be involved in supporting more traditional espionage operations. The associated malware used by APT23 is identified as NONGMIN. The group employs spear-phishing messages, including education-related phishing lures, as attack vectors to compromise victim networks. While APT23 actors are not known for utilizing zero-day exploits, they have demonstrated the capability to leverage these exploits once they become public knowledge. 

12) APT22 

Also known as Barista and suspected to be linked to China, APT22 focuses its cyber operations on political, military, and economic entities in East Asia, Europe, and the U.S., with a primary objective of data theft and surveillance. Operating since at least early 2014, APT22 is believed to have a nexus to China and has targeted a diverse range of public and private sector entities, including dissidents. The group utilizes associated malware such as PISCES, SOGU, FLATNOTE, ANGRYBELL, BASELESS, SEAWOLF, and LOGJAM. APT22 employs strategic web compromises as a key attack vector, allowing for the passive exploitation of targets of interest. Additionally, threat actors associated with APT22 identify vulnerable public-facing web servers on victim networks, uploading webshells to gain access to the victim's network. This comprehensive approach underscores APT22's persistent and multifaceted tactics in carrying out intrusions and surveillance activities on a global scale. 

13) APT43 

Linked to North Korea, APT43 has targeted South Korea, the U.S., Japan, and Europe across various sectors, including government, education/research/think tanks, business services, and manufacturing. Employing spear-phishing and fake websites, the group utilizes the LATEOP backdoor and other malicious tools to gather information. A distinctive aspect of APT43's operations involves stealing and laundering cryptocurrency to purchase operational infrastructure, aligning with North Korea's ideology of self-reliance, thereby reducing fiscal strain on the central government. APT43 employs sophisticated tactics, creating numerous convincing personas for social engineering, masquerading as key individuals in areas like diplomacy and defense. Additionally, the group leverages stolen personally identifiable information (PII) to create accounts and register domains, establishing cover identities for acquiring operational tooling and infrastructure. 

14) Storm-0978 (DEV-0978/RomCom) 

Storm-0978, also known as RomCom, is a Russian-based cybercriminal group identified by Microsoft. Specializing in ransomware, extortion-only operations, and credential-stealing attacks, this group operates, develops, and distributes the RomCom backdoor, and its latest campaign, detected in June 2023, exploited CVE-2023-36884 to deliver a backdoor with similarities to RomCom. Storm-0978's targeted operations have had a significant impact on government and military organizations primarily in Ukraine, with additional targets in Europe and North America linked to Ukrainian affairs. The group is recognized for its tactic of targeting organizations with trojanized versions of popular legitimate software, leading to the installation of RomCom. Notably, ransomware attacks attributed to Storm-0978 have affected industries such as telecommunications and finance, highlighting the group's broad impact and the evolving nature of cyber threats in the geopolitical landscape. 

15) Camaro Dragon 

A Chinese state-sponsored hacking group named 'Camaro Dragon' has recently shifted its focus to infecting residential TP-Link routers with a custom malware called 'Horse Shell.' European foreign affairs organizations are the specific targets of this cyber campaign. The attackers utilize a malicious firmware exclusively designed for TP-Link routers, enabling them to launch attacks appearing to originate from residential networks rather than directly targeting sensitive networks. Check Point, the cybersecurity firm that uncovered this campaign, clarifies that homeowners with infected routers are unwitting contributors rather than specific targets. The infection is attributed to self-propagating malware spread via USB drives. Checkpoint identified updated versions of the malware toolset, including WispRider and HopperTick, with similar capabilities for spreading through USB drives. These tools are associated with other tools employed by the same threat actor, such as the Go-based backdoor TinyNote and a malicious router firmware implant named HorseShell. The shared infrastructure and operational objectives among these tools provide further evidence of Camaro Dragon's extensive and coordinated cyber activities. 

In conclusion, the cybersecurity landscape of 2023 has been defined by a substantial surge in Advanced Persistent Threat (APT) activities, reflecting a sophisticated and dynamic threat environment. This analysis has delved into the intricate and evolving nature of these threats, emphasizing the persistent and increasingly sophisticated endeavours of emerging and established APT groups. These actors, distinguished by high skill levels and substantial resources, often operate with state sponsorship or connections to organized crime, enabling them to execute complex and prolonged cyber campaigns. 

Throughout the year, APTs have prominently featured, executing meticulously planned operations focused on long-term infiltration and espionage. Their objectives extend beyond financial gain, encompassing geopolitical influence, military espionage, and critical infrastructure disruption, posing a significant threat to global stability and security. 

Key regions such as the Asia-Pacific (APAC), South America, Russia, and the Middle East have witnessed diverse APT activities, showcasing unique tactics and targeting various sectors. Notable incidents, including compromising secure USB drives, deploying remote access Trojans (RATs), and sophisticated spear-phishing campaigns, underscore the adaptability of APT groups. The emergence of new actors alongside well-established groups, utilizing platforms like Discord and exploiting zero-day vulnerabilities, highlights the need for enhanced cyber defenses and international cooperation. 

Incidents like the Sandworm attack and exploitation of Atlassian Confluence flaws exemplify the diverse and evolving nature of APT threats, emphasizing their technical prowess and strategic focus on critical sectors and infrastructure. In response, a comprehensive and adaptive approach involving robust security measures, intelligence sharing, and strategic collaboration is essential to effectively mitigate the multifaceted risks posed by these highly skilled adversaries in the ever-evolving cyber threat landscape.
Read more »
Security
Cartoon Contest Cyber Security FBI Iran Microsoft Safety Security

Microsoft: Iran Unit Responsible for Charlie Hebdo Hack-and-Leak Operation

 

After the French satirical magazine Charlie Hebdo launched a cartoon contest mocking Iran's ruling cleric, a state-backed Iranian cyber unit retaliated with a hack-and-leak campaign designed to instill fear with the alleged theft of a large subscriber database, according to Microsoft security researchers. 

The FBI has blamed the same Iranian cyber operators, Emennet Pasargad, for an influence operation aimed at interfering in the 2020 U.S. presidential election, according to an blog post published Friday by the tech giant. In recent years, Iran has increased the use of false-flag cyber operations to discredit adversaries. According to Microsoft, a group calling itself "Holy Souls" and posing as hacktivists claimed in early January to have acquired personal details on 200,000 subscribers and Charlie Hebdo merchandise buyers.

As evidence of the data theft, "Holy Souls" published a 200-record sample of Charlie Hebdo subscribers' names, phone numbers, home and email addresses, which "could put the magazine's subscribers at danger for online or physical targeting" by extremists. The group then marketed the alleged complete data cache for $340,000 on several dark web sites. Microsoft stated that it had no knowledge of anyone purchasing the cache.

A Charlie Hebdo representative stated on Friday that the newspaper would not comment on the Microsoft study. Iran's UN mission did not immediately respond to a request for comment Friday. The release of the sample on January 4 coincided with the publication of Charlie Hebdo's cartoon contest issue. Participants were asked to create offensive caricatures of Iran's supreme leader, Ayatollah Ali Khamenei.

The operation coincided with Tehran's verbal attacks condemning Charlie Hebdo's "insult." The controversially irreverent magazine has a long history of publishing vulgar cartoons that critics regard as deeply insulting to Muslims. In 2015, two French-born al-Qaida extremists attacked the newspaper's office, killing 12 cartoonists, and Charlie Hebdo has been the target of other attacks in the past.

The magazine promoted the Khamenei caricature contest as a gesture of solidarity for the nationwide antigovernment protests that have erupted in Iran since the death of Mahsa Amini, a 22-year-old woman detained by Iran's morality police for allegedly violating the country's strict Islamic dress code, in mid-September.

Following the publishing of the cartoon issue, Iran closed down a decades-old French research institute. It announced sanctions last week against more than 30 European individuals and entities, including three senior Charlie Hebdo employees. The sanctions are mostly symbolic, as they prohibit travel to Iran and allow Iranian authorities to freeze bank accounts and seize property there.
Read more »
Ukraine
China cyber espionage Cyber Security CyberCrime Hacking Iran Iran government Opportunistic Cybercrime Russia State Sponsored Hackers Ukraine

Cybersecurity in 2023: Russian Intelligence, Chinese Espionage, and Iranian Hacktivism


State-sponsored Activities 

In the year 2022, we witnessed a number of state-sponsored cyber activities originating from different countries wherein the tactics employed by the threat actors varied. Apparently, this will continue into 2023, since government uses its cyber capabilities as a means of achieving its economic and political objectives. 

Russian Cyber Activity will be Split between Targeting Ukraine and Advancing its Broader Intelligence Goals 

It can be anticipated that more conflict-related cyber activities will eventually increase since there is no immediate prospect of an end to the conflict in Ukraine. These activities will be aimed at degrading Ukraine's vital infrastructure and government services and gathering foreign intelligence, useful to the Russian government, from entities involved in the war effort. 

Additionally, organizations linked to the Russian intelligence services will keep focusing their disinformation campaigns, intelligence gathering, and potentially low-intensity disruptive attacks on their geographical neighbors. 

Although Russia too will keep working toward its longer-term, more comprehensive intelligence goals. The traditional targets of espionage will still be a priority. For instance, in August 2022, Russian intelligence services used spear phishing emails to target employees of the US's Argonne and Brookhaven national laboratories, which conduct cutting-edge energy research. 

It is further expected that new information regarding the large-scale covert intelligence gathering by Russian state-sponsored threat actors, enabled by their use of cloud environments, internet backbone technology, or pervasive identity management systems, will come to light. 

China Will Continue to Prioritize Political and Economic Cyber Espionage 

It has also been anticipated that the economic and political objectives will continue to drive the operation of China’s intelligence-gathering activities. 

The newly re-elected president Xi Jinping and his Chinese Communist Party will continue to employ its intelligence infrastructure to assist in achieving more general economic and social goals. It will also continue to target international NGOs in order to look over dissident organizations and individuals opposing the Chinese government in any way. 

China-based threat actors will also be targeting high-tech company giants that operate in or supply industries like energy, manufacturing, housing, and natural resources as it looks forward to upgrading the industries internally. 

Iranian Government-backed Conflicts and Cybercrimes will Overlap 

The way in which the Iranian intelligence services outsource operations to security firms in Iran has resulted in the muddled difference between state-sponsored activity and cybercrime. 

We have witnessed a recent incident regarding the same with the IRGC-affiliated COBALT MIRAGE threat group, which performs cyber espionage but also financially supports ransomware attacks. Because cybercrime is inherently opportunistic, it has affected and will continue to affect enterprises of all types and sizes around the world. 

Moreover, low-intensity conflicts between Iran and its adversaries in the area, mainly Israel, will persist. Operations carried out under the guise of hacktivism and cybercrime will be designed to interfere with crucial infrastructure, disclose private data, and reveal agents of foreign intelligence. 

How Can Organizations Protect Themselves from Opportunistic Cybercrime?

The recent global cyber activities indicate that opportunistic cybercrime threats will continue to pose a challenge to organizational operations. 

Organizations are also working on defending themselves from these activities by prioritizing security measures, since incidents as such generally occur due to a failure or lack of security controls. 

We have listed below some of the security measures organizations may follow in order to combat opportunistic cybercrime against nations, states, and cybercrime groups : 

  • Organizations can mitigate threats by investing in fundamental security controls like asset management, patching, multi-factor authentication, and network monitoring. 
  • Maintaining a strong understanding of the threat landscape and tactics utilized by adversaries. Security teams must also identify and safeguard their key assets, along with prioritizing vulnerability management. 
  • Traditional methods and solutions, such as endpoint detection and response, are no longer effective in thwarting today's attacks, so it is crucial to thoroughly monitor the entire network, from endpoints to cloud assets. However, in order to identify and effectively address their most significant business concerns, and prioritize threats in order to combat them more efficiently.  

Read more »
Iranian
Cyber Attacks Cybersecurity Email Fraud Email Hacking email threat Energy sector Iran Iranian

Iran’s Atomic Energy Organization Confirms E-mail Hack

 

The Atomic Energy Organization of Iran (AEOI) has confirmed that an anonymous “foreign country” has hacked an e-mail server belonging to one of its subsidiaries and allegedly published the information online, as per reports. 

The Iranian threat actor, named ‘Black Reward’ in a statement posted on his Twitter handle says that it has released the hacked information relating to Iranian nuclear activities. The hackers describe their action as an act of support for the Iranian protesters. 

The said protests continue in Iran after the death of Mahsa Amini (22-year-old) in September, who apparently died in police custody for not following the strict Islamic dress protocol of the country. The violent protest and street violence resulted in several deaths of protesters, along with that of security force staff. Furthermore, hundreds of demonstrators have allegedly been detained. 

A statement published by the Black Reward on Saturday showing support for the protests, read “In the name of Mahsa Amini and for women, life, and freedom.”  

The hacking group threatened the Iranian state to leak the hacked documents of Tehran’s nuclear program if they would not release all the prisoners and people detained in the protests, within 24 hours. Additionally, the group demands the release of political prisoners, claiming to have leaked 50 gigabytes of internal emails, contracts and construction plans relating to the country’s Russian-sponsored nuclear power plant in Bushehr, publishing files on its Telegram channel. 

According to the statement shared by the hacking group, the released information includes “management and operational schedules of different parts of Bushehr power plant,” passport and visa details of Iran and Russia based specialists working in the power plant and “atomic development contracts and agreements with domestic and foreign partners.” 

Although the atomic energy organization’s general department of public diplomacy and information denied the relevance of the released data, stating “this move was made with the aim of attracting public attention” 

“It should be noted that the content in users’ emails contains technical messages and common and current daily exchanges […] It is obvious that the purpose of such illegal efforts, which are carried out of desperation, is to attract public attention, create media atmospheres and psychological operations, and lack any other value,” the organization confirmed.
Read more »
Iranian cyber attack
Albanian Cyber Army Albanian Hacker Cyber Attacks Cyberattack Iran Iran hackers Iranian cyber attack

Albanian President Holds Meeting with NSC Over Iran Cyber Attacks Led by HomeLand Justice

 

In the wake of the ongoing cyber attacks led by hackers group HomeLand Justice, the Albanian President Bajram Begaj recently held a meeting with the National Security Council (NSC) in the Albanian capital, Tirana on 10th October, Monday. The meeting, attended by senior government officials was conducted in order to discuss the issue of persistent cyberattacks, carried out against state infrastructure by Iran. 

The meeting was attended by Albanian Prime Minister Edi Rama, Prosecutor General Olsjan Çela, Director General of Police Muhamet Rrumbullaku, Chairman of the Security Commission Nasip Naço, and senior intelligence officials. 

The threat actors referred to as HomeLand Justice is a hacker group sponsored by the Iranian government’s advanced persistent threat (ATP) actors. The hackers attempted to paralyse public services, and delete and steal governmental data, disrupting the government’s websites and services, which created a nuisance in the state. 

Earlier this year, in July, HomeLand Justice took to social media, demonstrating the attack pattern of advertising the Albanian Government about the leaks, and posting polls asking the viewers to select the hacked information they want to be published.  

A similar attack was launched in September against the Albanian government, possibly instigated in retaliation for public attribution of the previous attacks, it severed diplomatic ties between the governments of Iran and Albania. 

Over the weekend, threat actors published the hacked data pertaining to employees of the State Police on the Telegram channel operated by Homeland Justice. The leaked data involved names, personal information and photographs, ID numbers, age, name, and photo. 

Although not much information has been provided about the meeting that lasted for two hours, Finance Minister Delina Ibrahimaj briefed about the meeting in an unrelated press conference. 

“In fact, it is the role of the president to call the national security committee on various issues. We discussed the current issues of cyber attacks. Each institution reported on the measures taken, on the level of impact and on the measures that will be taken in the future to cope with the situation”, stated Delina. 

The National Security Council was last addressed on 14th February 2022 by former president Ilir Meta in regard to Russia-Ukraine tensions.
Read more »
Iran hackers
Android Spyware Cyber Attacks cyber espionage Iran Iran hackers

Iranian APT42 Launched Over 30 Espionage Attacks Across 14 Nations

 

Cybersecurity firm Mandiant has attributed over 30 cyber espionage attacks against activists and dissidents to the state-backed Iranian threat group APT42 (formerly UNC788) with activity dating back to 2015, at least. 

Based on APT42’s activities, the researchers believe the hacking group operates on behalf of the Islamic Revolutionary Guard Corps Intelligence Organization (IRGC-IO), not to mention shares partial overlaps with another Iran-linked APT group tracked as APT35 (aka Charming Kitten, Phosphorus, Newscaster, and Ajax Security Team). 

The APT group has targeted multiple industries such as non-profits, education, governments, healthcare, legal, manufacturing, media, and pharmaceuticals spanning across 14 nations, including in Australia, Europe, the Middle East, and the U.S. 

“APT42 activity poses a threat to foreign policy officials, commentators, and journalists, particularly those in the US, the UK, and Israel, working on Iran-related projects,” reads the report published by Mandiant. "Additionally, the group’s surveillance activity highlights the real-world risk to individual targets of APT42 operations, which include Iranian dual-nationals, former government officials, and dissidents both inside Iran and those who previously left the country, often out of fear for their personal safety.” 

The Iranian hackers are primarily focused on cyber-espionage, employing highly targeted spear-phishing and social engineering methodologies to access personal and corporate email accounts, or to deploy Android malware on mobile devices. 

The APT group also has the capability of siphoning two-factor authentication codes to circumvent more secure authentication methods, and sometimes leverages this access to target employers, colleagues, and relatives of the initial victim. However, while credential theft is favored, the group has also deployed multiple custom backdoors and lightweight tools to target firms. 

Last year in September, the Iranian hackers accessed a European government email account and exploited it to send a phishing email to nearly 150 email addresses linked with individuals or entities employed by or associated with civil society, government, or intergovernmental organizations across the globe. The phishing mail embedded a Google Drive link to a malicious macro document leading to TAMECAT, a PowerShell toehold backdoor. 

Additionally, the researchers have uncovered multiple similarities in “intrusion activity clusters” between APT42 and another Iran-linked hacking group, UNC2448, which has been known in the past to scan for vulnerabilities and even deploy BitLocker ransomware. 

“While Mandiant has not observed technical overlaps between APT42 and UNC2448, the latter may also have ties to the IRGC-IO,” Mandiant explained. "We assess with moderate confidence that UNC2448 and the Revengers Telegram persona are operated by at least two Iranian front companies, Najee Technology and Afkar System, based on open-source information and operational security lapses by the threat actors.”
Read more »
State Sponsored Hackers
CISA Cyber Attacks Cyber Threats Iran Microsoft State Sponsored Hackers

CISA, Microsoft Warn of Rise in Cyber-attacks From Iran

The U.S. Cybersecurity and Infrastructure Security Agency and Microsoft witnessed a massive surge of Iranian state-sponsored cyberattacks against IT services firms. In the wake of the findings, the tech giant and the eminent law enforcement body sent out alerts regarding the same. 

In 2020, the cyberattacks from state-sponsored Iranian threat actors on IT services firms were virtually non-existent, however, in 2022 the cybercrimes exceeded to 1,500, said Microsoft. 

"Microsoft has observed multiple Iranian threat actors targeting the IT services sector in attacks that aim to steal sign-in credentials belonging to downstream customer networks to enable further attacks," Microsoft added. 

According to the report, the group was tracked as Phosphorus (aka Charming Kitten or APT35), compromising IP addresses on the internet for unpatched Fortinet FortiOS SSL VPN and on-premises Exchange Servers to gain access. 

Additionally, the organizations believed that an advanced persistent threat (APT) group sponsored by the Iranian government was using known vulnerabilities in both Microsoft Exchange and Fortinet to attack both government and private sector networks. 

"FBI and CISA have observed this Iranian government-sponsored APT group exploit Fortinet vulnerabilities since at least March 2021 and Microsoft Exchange ProxyShell vulnerability since at least October 2021 to gain initial access to systems in advance of follow-on operations, which include deploying ransomware. ACSC is also aware this APT group has used the same Microsoft Exchange vulnerability in Australia," reads the report.  

Nation-state operators with nexus to Iran are becoming more advanced and familiar with cyberattacks to generate revenue, they are also engaging in persistent social engineering campaigns and aggressive brute force attacks. 

Researchers from Microsoft Threat Intelligence Center (MSTIC) revealed that “these ransomware deployments were launched in waves every six to eight weeks on average.” 

"The Iranian government-sponsored APT actors are actively targeting a broad range of victims across multiple U.S. critical infrastructure sectors, including the Transportation Sector and the Healthcare and Public Health sector, as well as Australian organizations," CISA said. 

As per the findings, the hackers systematically target prominent IT services firms worldwide including nations like the USA, the UK, United Arab Emirates, India, and so on. Microsoft further added that these attacks are examples of how nation-state actors are increasingly targeting supply chains as an indirect approach to fulfill their real motives.
Read more »
Ransomware attack
APT Attack Cox Cox Media Group Cyber Crime Iran malware Ransomware Ransomware attack

Iranian Hackers Behind Cox Media Group Ransomware Attack

 

Iranian hackers were behind the ransomware attack that disrupted Cox radio and TV stations' IT systems and live streaming earlier this year, according to The Record. 

The attack was carried out by a threat actor known as DEV-0270, which has been linked to many incursions against US organizations this year that resulted in the deployment of ransomware. While the Cox Media Group's infiltration was discovered on June 3 when the attackers used ransomware to encrypt some internal servers, the group had been breaching and hiding inside the company's internal network since mid-May. 

The attack did not affect all Cox Media Group radio and television stations, but it did disrupt certain stations' capability to broadcast live feeds on their websites. Initially, the Cox Media Group attempted to downplay the incident. 

Local reporters who used Twitter to convey information about the ransomware attack were admonished and forced to withdraw their posts. However, four months later, in October, the corporation finally confirmed the incident, although without disclosing any details about the Iranian hackers. 

The disclosure that Iranian hackers were behind the Cox attack comes less than a month after the US Department of Justice charged two Iranian citizens with various hacking-related offenses in November. One of them was for compromising a US media firm with the goal of disseminating false information about the legality of the US 2020 Presidential election via its website. 

Lee Enterprises, which owns the Buffalo News, the Arizona Daily Star, and the Omaha World-Herald, was eventually confirmed as the company. DEV-0270 has previously engaged in both information-collection operations and financially motivated attacks, according to a Microsoft threat intelligence analysis on the group, obscuring the true reason behind the recent Cox ransomware attack. 

The strategy of delivering ransomware on the networks of large corporations was first detected in late 2016 by Iranian hackers, namely the SamSam group. Their strategy of focusing on large businesses rather than end-users was later adopted by the majority of ransomware threat actors, and is now known as "big-game hunting." 

Since then, the majority of ransomware attacks have been attributed to Russian-based groups; however, certain ransomware cases have also been linked to members of state-sponsored espionage groups operating in Iran, China, and North Korea in recent years. 

These groups used ransomware on the networks of some of their victims as a path to monetize compromised companies with no intelligence-collection value or to hide intelligence collection behind a more generic ransomware issue that wouldn't prompt a more in-depth examination. 

Cox Media Group spokespersons did not respond to inquiries for comment on the incursion in May and June.
Read more »
SMS Phishing
Android Android Users Cyber Fraud Data-Stealing Iran Mallicious Apps phishing Scam SMS Phishing

Researchers: Iranian Users Beware of Widespread SMS Phishing Campaigns

 

Socially engineered SMS texts are being utilized to install malware on Android smartphones, as part of a large phishing operation that impersonates the Iranian government and social security authorities in order to steal credit card information and funds from victims' bank accounts, 

Unlike other types of banking malware that use overlay attacks to steal sensitive data without the victim's knowledge, the financially motivated operation discovered by Check Point Research is developed to trick victims into handing over their credit card information by sending them a legitimate-looking SMS message with a link that, when clicked, downloads a malware-laced app onto their devices. 

Check Point researcher Shmuel Cohen stated in a new report published Wednesday, "The malicious application not only collects the victim's credit card numbers, but also gains access to their 2FA authentication SMS, and turn[s] the victim's device into a bot capable of spreading similar phishing SMS to other potential victims." 

As per the cybersecurity firm, it discovered hundreds of distinct phishing Android apps masquerading as device tracking apps, Iranian banks, dating and shopping sites, cryptocurrency exchanges, and government-related services, with these botnets sold as a "ready-to-use mobile campaign kit" on Telegram channels for somewhere between $50 and $150. 

The infection chain of the smishing botnet begins with a bogus notification from the Iranian judiciary requesting users to evaluate a fictitious complaint made against the message's receivers. The complaint link takes victims to what appears to be a government website, where they are requested to provide personal information (e.g., name, phone number, etc.) and download an Android APK file. 

Once downloaded, the rogue app not only demands invasive rights to execute operations typically not associated with such government applications, but it also displays a false login page that resembles Sana, the country's electronic judicial notice system, and prompts the victim to pay a $1 payment to proceed. Users who choose to do so are then sent to a bogus payment page that captures the credit card information submitted, while the installed software acts as a covert backdoor to harvest one-time passcodes given by the credit card provider and assist more fraud. 

Furthermore, the malware has a plethora of functionality, including the ability to exfiltrate all SMS messages received by a device to an attacker-controlled server, conceal its icon from the home screen to circumvent attempts to remove the app, deploy extra payloads, and obtain worm-like powers to broaden its attack surface. 

Prevent data breaches 

Cohen explained, "This allows the actors to distribute phishing messages from the phone numbers of typical users instead of from a centralized place and not be limited to a small set of phone numbers that could be easily blocked. This means that technically, there are no 'malicious' numbers that can be blocked by the telecommunication companies or traced back to the attacker." 

To make matters worse, the attackers behind the operation were discovered to have inadequate operational security (OPSEC), enabling any third party to openly access the phone numbers, contacts, SMS messages, and list of any online bots stored on their servers. 

"Stealing 2FA dynamic codes allows the actors to slowly but steadily withdraw significant amounts of money from the victims' accounts, even in cases when due to the bank limitations each distinct operation might garner only tens of dollars." 

"Together with the easy adoption of the 'botnet as a service' business model, it should come as no surprise that the number of such applications for Android and the number of people selling them is growing," he added.
Read more »
US
Cyber Attacks Cyber Security News Cybersecurity Cybersecurity Incident Iran Israel US

Iran Accuses USA and Israel for Carrying Out Fuel Cyberattacks

 

An Iranian General alleged that Israel and US might have planned a cyberattack that caused disruption of fuel in service stations in Iran. The attack which happened on Tuesday is similar to two recent incidents where, as per the general, the attackers might be Iran's rivals: USA and Israel. Two incidents were analyzed, the Shahid Rajaei port incident and the railway accident, and found that these two incidents were similar. Earlier this year, as per Iran's transportation ministry, a cyberattack disrupted its website and computer systems, reports Fars news agency. 

"In a country where petrol flows freely at what are some of the lowest prices in the world, motorists need digital cards issued by the authorities. The cards entitle holders to a monthly amount of petrol at a subsidized rate and, once the quota has been used up, to buy more expensive at the market rate," reports The Security Week. In 2020, Washington Post reported an incident where Israel orchestrated an attack on Iranian port Shahid Rajaei (in Hormuz Strait), a strategic path to global oil shipments. 

The recent cyber disruption resulted in traffic jams in major pockets in Tehran, having long lines at petrol pumps disrupting traffic flow. Following the incident, the oil ministry shut down the service stations in order for easy manual distribution of petrol, said the authorities. On Wednesday, President Ebrahim Raisi alleged that the actors were trying to sway the people of Iran against Islamic Republic leadership. As per the reports, an estimated 3200 out of 4300 of the country's service stations have been re-linked with the central distribution system, said the National Oil Products Distribution Company. 

Besides this, there are other stations who also give fuel to motorists, but not at subsidized rates, which makes it twice in the rates, around 5-6 US cents/litre. The Security Week reports, "Since 2010, when Iran's nuclear program was hit by the Stuxnet computer virus, Iran and its arch-foes Israel and the United States have regularly accused each other of cyberattacks. The conservative Fars news agency on Tuesday linked the breakdown to opponents ahead of the second anniversary of deadly protests sparked by a hike in petrol prices."
Read more »
Russia
America China Cyber Criminals Cyber Security cyber threat Iran North Korea Russia

NSA’s Cyber Chief Warned About the Increasing Cyber Threat

 

On Wednesday the 29th of September, the chief of the cyber branch of the National Security Agency cautioned about the growing number of digital dangers and threats that these cybercriminals pose. 

Rob Joyce, Director of the NSA Cybersecurity Directorate, stated during the ASPEN Cyber Summit in Colorado that nearly every single government in the world today has a cyber exploitation program. 

Joyce has been a special assistant of the president and cyber security coordinator of the National Security Council in 2018, with many other responsibilities in the nation's leading e-spy agency. 

“The vast majority of those are used for espionage and intelligence purposes, but… there is interest in dabbling in offensive cyber and outcomes. The difference between the top of the list and the bottom of the list, usually, is scale,” stated Joyce. 

There are some “high-end, sophisticated small actors, but they’re confined to whatever that national interest is that they’re aimed at so we see less of them.” 

Joyce also gave his evaluated statements on the so-called "Big Four" and the latest internet business of the foreign states who were historically the digital opponents of America — Russia, China, Iran, and North Korea. 

Starting with Russia he said that, it's the distressing force. Often they attempt not to boost their activities but to pull others down. They are still extremely active in intelligence-gathering efforts targeting vital infrastructure and countries. The problem is that they employ disruptive effects all around the world aggressively. The organization saw indications of U.S. vital infrastructure pre-positioning. For this everyone must strive against every item that can't be permitted. 

Further, talking about China he noted that, Chinese is off the charts, considering the scale and scope. The number of cyber actors from China is growing all over the world. NSA respected them less than that from four or five years ago to the present day, the changes as perceived. They have always been wide, loud, and boisterous, and what the organization discovers, the elite in that group is the elite if one has such a vast resource base. 

“The high end of the Chinese sophistication is really good. We’ve got to continue to understand, disrupt and then find ways across the whole of that technology to kind of push back… Yes, defense is really important, but you also have to work to disrupt so that’s the continuous engagement strategy out of the [Defense Department] and the idea that we got to put sand and friction in their operations, so they don’t get just free shots on goal,” he added. 

Later he made statements about Iran saying that Iran is still operational in cyber activities. Certainly, they were the first and foremost nation when everyone spoke of a bank distributed denial of service operations and the Shamoon Wiper malware. However what NSA observed is that they often concentrate very much on regional matters, at present. Their attention was not as broad on the impact. But they are capable, especially because their decision is less judgmental, and most crucially because it is a realistic measure. Iran sometimes does not appreciate how much it has done to, or has gone far as to arouse the wrath and concern of the larger community. 

Lastly, he told that North Korea remains extremely focused on the regime's income creation, as North Korea can not be affected even with several sanctions. They, therefore, had to develop ways to create cash, trade and realized that it is simpler to steal Bitcoin than to steal from Bangladesh Bank. They didn't attack the largest banks as hard, since in the crypto realm they made their required money. 

“The commercial firms were dealing with a lot of North Korean issues back when the [Covid-19] vaccine was an issue; they were going after the intellectual property of vaccine makers. So, still active, still a threat, very capable but mostly focused on crypto exchanges and creating money.” He added. 
Read more »
Supply Chain Attack
Cyber Attacks Iran Israel Siamesekitten Supply Chain Attack

Siamesekitten Launches New Operations Against Israeli Organizations


 


To mask their actual objectives, hackers affiliated with the government of Iran have concentrated their offensive efforts on IT and communications businesses in Israel. Ever since least 2018, operations have indeed been ascribed to the APT group of Iranians known as Lyceum, Hexane, and Siamesekitten. 

At the epicenter of a cyberattack on the supply chain, IT and communications companies in Israel has been led by Iranian threat actors who have impersonated businesses and their HR professionals to target victims with fraudulent employment proposals to infiltrate their systems and obtain access to the firms' customers. ClearSky claimed that the cyberattacks on IT and telecom firms are designed to make supply chain attacks on its customers simpler.

The operations, which took place in two phases in May and July 2021, are connected with the hacking group Siamesekitten, which has mainly pinpointed the Middle East and African oil, gas, and telecommunications suppliers. The attackers coupled social engineering technology with an enhanced malware version to provide remote access to the affected machine. 

In one case, the cybercriminals used the username of a former HR manager of ChipPC company to construct a fraudulent LinkedIn profile, a strong indication that the hackers had been doing their research even before the campaign was launched.

In addition to using Lure documents as the initial vector of attacks, its network comprised the establishment of fraudulent websites, which imitated the impersonation of the organization, and the creation of false LinkedIn profiles. The bait files take the shape of a macro-embedded Excel table, detailing alleged job offers and of a portable (PE) file containing a 'catalog' of products utilized by the impersonated firm. 

"This campaign is similar to the North Korean 'job seekers' campaign, employing what has become a widely used attack vector in recent years - impersonation," the Israeli cybersecurity company said. "The group's main goal is to conduct espionage and utilize the infected network to gain access to their clients' networks. As with other groups, it is possible that espionage and intelligence gathering are the first steps toward executing impersonation attacks targeting ransomware or wiper malware." 

Whatever file the victim downloads, the attack chain is completed with a C++-based Milan backdoor installation. The attacks against Israel's enterprises in July 2021 are especially noteworthy since Milan had been substituted by the threat player with a new installation named Shark, written in.NET.
Read more »
Wiper
Hackers Iran Iranian railway malware Wiper

Wiper Malware Used in Attack Against Iranian Railway

 

The cyber-attack that crippled Iran's national railway system at the beginning of the month was caused by a disk-wiping malware strain called Meteor, not a ransomware attack, as per the research published by security firms Amnpardaz and SentinelOne. 

According to Reuters, the attack caused train services to be affected as well as the transport ministry's website to fall down. But the assault wasn't simply meant to cause havoc. A number for travelers to contact for further information about the difficulties was also put into displays at train stations by the attackers. 

As per Juan Andres Guerrero-Saade, Principal Threat Researcher at SentinelOne, this is the first time this malware has been used and also stated Meteor is yet to be linked to a previously identified group. 

Meteor malware: A part of a well-planned attack

The Meteor wiper was precisely one of three components of a broader malware arsenal placed on the systems of the Iranian railway computers on July 9, according to the firm's research. 

The attacks, which SentinelOne tracked under the codename of MeteorExpress, and led to trains being canceled or delayed across Iran, involved: 
1.Meteor – malware that wiped the infected computer’s filesystem. 
2.A file named mssetup.exe that played the role of an old-school screen locker to lock the user out of their PC. 
3.And a file named nti.exe that rewrote the victim computer’s master boot record (MBR). 

Although Guerrero-Saade did not state how or where the attack began, he did mention that once inside a network, the attackers utilized group policies to deploy their malware, deleted shadow volume copies to stop data recovery, and disconnected infected hosts from their local domain controller, to avoid sysadmins from quickly fixing infected systems. 

Infected computers' filesystems were deleted after the attack, and their displays flashed a message instructing victims to contact a phone number associated with Supreme Leader Ayatollah Ali Khamenei's office, all as a prank from the attackers' perspective. 

The MeteorExpress campaign and wiper assaults appeared to be a witty prank directed at Iranian government officials, the malware employed was not. Meteor and all of the other MeteorExpress elements comprised "a bizarre amalgam of custom code," according to Guerrero-Saade, that combined open-source components with old software and custom-written parts that were "rife with sanity checks, error checking, and redundancy in accomplishing its goals." 

The Meteor code included some of the same features as the screen-locking component or the adjacent deployment batch scripts. The SentinelOne researcher stated, “Even their batch scripts include extensive error checking, a feature seldom encountered with deployment scripts.” 

While certain sections of the malware looked to have been developed by a skilled and professional developer, Guerrero-Saade also notes that the MeteorExpress attack's irregular nature indicates the malware and the overall operation were cobbled together in a hurry by several teams.

SentinelOne stated it's unknown if Meteor was put together especially for this operation or if we'll see the malware strain in a different form in the future because it was assembled just six months before the attack on the Iranian railway system.
Read more »
Train
Cyber Attacks Iran Iranian railway IRNA Train

Cyber-Attack by Hackers Disrupt Iranian Railway System

 

On Saturday 10th of July, just after a cyber interruption in IRNA's computing devices, the official IRNA media outlet announced that Iran's Transport and Urbanization Ministry websites were out of operation. 

A day earlier, on Friday 9th of July, Iranian railways seemed to have been cyber-attacked, involving posts on notice boards at stations around the country concerning supposed train delays and cancellations. Tracking trains electronically throughout Iran is claimed to have been unsuccessful. 

The attackers published "long-delayed because of cyberattack" and "canceled" remarks on the display boards. They further appealed to the passengers to request information and also listed the telephone number of - Ayatollah Ali Khamenei, the country's supreme leader. 

The Fars media outlet claimed that the intrusion resulted in "unprecedented chaos" at railway stations. Although Iran's national railway company denied the claims of being hit by a cyberattack, on Saturday 10th of July.

It seems that at least a month earlier, the intruders had accessed the system. In the first report, hundreds of railroad activities were retarded or canceled, with thousands of passengers being stuck. 

The Iranian national railroad website was not operational, although whether the administration or the hackers took it down is still unclear. 

Likewise, attackers had previously controlled announcements at two airports and placed anti-government advertisements, further it was also not evident whether a message posted on the station notification board was from officials or was put by hackers. 

According to Iran International, “The number might belong either to the office of President Hassan Rouhani or Supreme Leader Ali Khamenei. It is not clear if hackers have posted the information or the authorities.” 

Additionally, the newspaper comments that Iran “periodically becomes a target of hackers from other countries, particularly Israel.” 

Israel is primarily responsible for a blackout at Iran's Natanz atomic plant in April 2021– particularly in the Israeli media. Nothing has been done by Israel or Iran to combat such vital Middle East infrastructure attacks. 

The potential of state participation is established by the absence of any evident financial motive – indicating either a state or an activist's objective. 

Iran International revealed additional information on the rail attack on Sunday 16th of July 2021 from “an information security officer at the presidential administration.” The attackers entered the system at the beginning of June and had prepared the payload from late June itself. 

After access had been acquired by the attackers, the loading protocols and user passwords start to be altered. Perhaps it barred administrators from remotely accessing the system and deactivated retrieval systems. 

In recent times, Iran has indeed been the source and objective of cyber-attacks – some of which are probably state-sponsored, impeding its efforts to produce nuclear fuel.
Read more »
US
Cyber Attacks Hackers Iran Iran hackers US

Iranian Hackers Attacked Websites of an African Bank and US Federal Library

 

According to Iran Briefing, hackers posing as Iranians targeted the websites of the Sierra Leone Commercial African Bank and the United States Federal Depository Library Program, by posting pro-Iranian remarks and graphics. 

The website of Sierra Leone Commercial Bank was found to be "H4ck3D IRANIAN HACKER" in Google search results. 

The words "hacked by Iranian hacker, hacked by shield Iran" were written in Twitter screenshots on a drawing of former IRGC Quds Force commander Qasem Soleimani, who was killed in a US airstrike. 

According to CBC News, the library program's website was updated with a bloodied picture of US President Donald Trump being punched in the face, as well as a message is written in Farsi and English that read "martyrdom was Soleimani's... reward for years of implacable efforts," and another caption that read "this is only a small part of Iran's cyber ability!" 

A spokesman from the US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency verified the incident. Though the hack has still proven to be the activity of Iranian state-sponsored actors. 

The representative stated, “We are aware the website of the Federal Depository Library Program [FDLP] was defaced with pro-Iranian, anti-US messaging”. 

“At this time, there is no confirmation that this was the action of Iranian state-sponsored actors”. 

The website has been removed from the internet and is no longer accessible. In coordination with the FDLP and other government partners, the Cybersecurity and Infrastructure Security Agency (CISA) is keeping an eye on the situation. 

According to another senior US official, the defacement was a minor event carried out by Iranian sympathizers. Former US Secretary of State Mike Pompeo indicated at the time that a cyberattack by Iran against the US could be a possible retaliation. 

It's unclear whether the hackers had a government position or had any connection to Iran. The hack occurs at a time when tensions between the US and Iran are still high following the assassination of Qasem Soleimani, the chief of Iran's Revolutionary Guards Corps Quds Force, by a US strike in Baghdad on Jan. 2. 

Iran has already threatened retaliation for the assassination, implying that US assets and interests in the Middle East, as well as US allies, may be targeted.
Read more »
User Security
Data Breach Database Leaked Iran User Data User Privacy User Security

Raychat App Suffered a Data Breach of 150 Million Users

 

Around 7:20 a.m. on Monday, May 3, 2021, the database was first made public on a prominent Russian hacker website. It was unclear if these documents were stolen from the Raychat app's servers or whether they were a result of a recent data breach, which occurred on January 31st, 2021, as a consequence of a misconfigured database discovered by IT security researchers Bob Diachenko. 

Diachenko posted a series of tweets about the Raychat application on Twitter. He said that a misconfigured server leaked the entire database of the Raychat app. According to the researcher, the database contained over 267 million accounts with information such as addresses, addresses, passwords, metadata, encrypted messages, and so on. 

He also claimed that he had not received a response from the organization after Diachenko received a response from an Iranian Twitter user. He shared a screenshot of a tweet from the Raychat app confirming that no data had been compromised. 
 
The data was allegedly leaked by a threat actor on a well-known hacker website, Raid Forum. He said that they downloaded the data until the meow attack erased it. The data seems to be genuine, and millions of Iranians' personal information has been made public. The leaked data includes names, IP Addresses, email addresses, Bcrypt passwords, Telegram messenger IDs, etc.

Despite the fact that Iranian hackers have been blamed for increasingly advanced attacks against their adversaries, Iranian civilians have been one of the most overlooked victims of data breaches in recent years. For example, a database allegedly belonging to the Snapp app (Iranian Uber) leaked "astonishingly sensitive details" of millions of users on an unreliable MongoDB server in April 2019. 

52,000 Iranian ID cards with selfies were sold on the dark web in April 2020 and later leaked on the open web. The personal information and phone numbers of 42 million Iranians were sold on a hacker forum in March 2020. The database was first revealed on an Elasticsearch server by a misconfigured database. 

It's now up to the victims to be more cautious. They should be wary of email-based phishing attacks. Users should not click on links in texts or emails because they could be scams. By breaking into a user's phone, they could further intrude on their privacy.
Read more »
Nuclear Terrorism
Blackout Cyber Attacks Iran Israel Natanz Nuclear Plant Nuclear Terrorism

Iran Natanz Nuclear Facility Struck by a Blackout Labelled as an Act of “Nuclear Terrorism”

 

On Sunday 11th of April, just hours after newly developed centrifuges, which could enrich uranium faster were launched in Iran, the underground nuclear facility of Natanz lost its control. Iran labeled the blackout as an act of "nuclear terrorism." It raised regional tensions on Sunday as the world powers proceed to negotiations over Tehran's tattered nuclear deal. 

Amid arbitration over the troubling nuclear agreement with the world powers, this is the most recent event. As Iranian officials examined the failure, several news organizations in Israel speculated that this was a cyber-attack. Although the reports did not include an evaluation source, the Israeli media have close ties with the military and intelligence agencies of the country. 

If Israel triggered the blackout, the strains between the two countries which were already involved in the shadow conflict over the wider Middle East would now be increased. The USA, Israel's primary security partner, has also been complicating attempts to re-enter the nuclear agreement to restrict Tehran so that a nuclear weapon couldn't be pursued if the US so wishes. U.S. Defence Secretary Lloyd Austin arrived in Israel on Sunday when reports about the blackout came up for talks with Netanyahu and Israeli Defence Minister Benny Gantz.

Civil program spokesperson for nuclear programs Behrouz Kamalvandi told Iranian state TV that power in Natanz has been cut across all the installations which include above-ground workshops and underground halls. “We still do not know the reason for this electricity outage and have to look into it further,” he said. “Fortunately, there was no casualty or damage and there is no particular contamination or problem.” 

Malek Shariati Niasar, a Teheran-based politician who has been serving as spokesman on the Iranian energy committee, posted on Twitter that the incident seemed ‘very suspicious.’ He even said that lawmakers are looking for further information. The International Atomic Energy Agency in Vienna, which monitors the Iranian program, said that it was "aware of the media reports" but still did not elaborate on it. 

Tehran has scrapped all restrictions off its uranium stock after President Donald Trump withdrew from the Iran nuclear agreement in 2018. It now enriches up to 20% purity, a technological move away from 90% firearms. Iran maintains a peaceful nuclear policy. 

Natanz was primarily constructed underground to resist enemy airstrikes. In 2002, when satellite images depicted Iran constructing its underground centrifugal plant on a location some 200 km to the south of Tehran, it became a flashpoint for Western fears of Iran's nuclear program. At its sophisticated centrifuge assembly plant in July, Natanz encountered a mysterious explosion that the officials later identified as sabotage. Now Iran is reconstructing deep inside a nearby mountain to recreate the facility. 

Kan, a Public broadcaster , said Israel would probably have been behind the attack, referencing Israel's supposed responsibility for the attacks in Stuxnet a decade ago. Though no source or description of how this was evaluated was included in any of the reports.
Read more »
malware
Cyberespionage Operation Foudre & Tonnerre Iran malware

Cyber-Surveillance Operation Resumed by Iran After a Long Break

 

Iran, one of the resourceful countries in Western Asia in terms of weapons and cyber intelligence has resumed its cyberespionage operation after a two-year downtime. Cybersecurity firms SafeBreach and Check Point directed joint research to discover an Iran-linked cyberespionage operation which has resumed with the latest second-stage malware and with an updated version of the Infy malware.

Espionage, destructive attacks, and social media manipulation- three major weapons of Iranian cyber capabilities, and the evidence suggest that Iran started the cyberespionage operation way back in 2007. For the first time, in 2016 the details regarding this operation were disclosed, Foudre a type of malware was used in these operations, and by 2018 it was updated eight times.

In the fast half of 2020, the operation was resumed with the latest versions of Foudre (versions20-22) and with new documents that were designed to tempt the victims and to execute the malicious code when closed. Following the execution of malicious code Foudre links to the command and control (C&C) server and fetches a new part of the malware, called Tonnerre.

According to the cybersecurity experts, Tonnerre is designed to expand the capabilities of Foudre but it is released as a different component. Foudre may only be deployed when the situation is out of control and it poses as legitimate software that can steal files from corrupt machines, can execute commands received from the C&C server, record sound and capture the screenshots.

Domain Generating Algorithms (DGA) are used by Tonnerre to link to the C&C which then stores data about the target, steal files, download updates and get an additional C&C. Both HTTP and FTP are used by Tonnerre to communicate with the C&C server. During the investigation, SafeBreach and Check Point spotted two dozen victims, most located in Sweden (6), the Netherlands (4), Turkey (3), and the United States (3). While, Romania, India, Russia, Iraq, the United Kingdom, Germany, Canada, and Azerbaijan had one victim each.

Last week, Check Point reported that the Iranian government has targeted more than 1,200 citizens in extensive cyber-surveillance operations. A blog post containing details on both Foudre and Tonnerre read, “it seems that following a long downtime, the Iranian cyber attackers were able to regroup, fix previous issues and dramatically reinforce their OPSEC activities as well as the technical proficiency and tooling capabilities”.
Read more »
UAE
Cyber Attacks Iran Middle East UAE

UAE Faces Cyber Pandemic, Cyberattacks In The Middle East On The Rise


The Middle East is suffering a "cyber pandemic" crisis due to coronavirus-themed cyberattacks on the rise this year, says Mohamed al-Kuwaiti, United Arab Emirates government's cybersecurity chief. Moving into a full online life, UAE witnessed an increase in cyberattacks, he further says. The UAE saw a record 250% increase in cybersecurity attacks in 2020. The pandemic compelled companies across the globe to look inside assess their assets, as criminal actors preyed on the digital world. 

"Al Kuwaiti said discussions were ongoing regarding lifting the ban on some Voice over Internet Protocol (VoIP) services in the UAE, such as WhatsApp and FaceTime calling," reports CNBC. Al Kuwaiti says that UAE became a primary target of attacks by the activists when it recently tied formal relations with Israel. Criminals targeted health and financial sectors in particular. The news provides a more in-depth insight into the troublesome cybersecurity challenges UAE and Middle East faces. In these regions, cyberattacks and breaches are prospering; most of these state-sponsored and undetected. According to Al Kuwaiti, various sources were behind this attack. Although the attacks come from all over the region, the main actor is Iran, he says. 

The issue reveals ongoing tension in the area, whereas Iran says that it is a target of cyberattacks. However, the Iranian foreign ministry has not offered any comments on the issue. Al Kuwaiti says that "phishing" and "ransomware" attacks are on the rise; these attacks have become more sophisticated and frequent. In a phishing attack, the hacker pretends to be a legitimate person or entity and steals sensitive information from the victim. Whereas in a ransomware attack, the hacker blocks access to information and demands a ransom from the victim. 

The latest research by cybersecurity firm TrendMicro says government IT infrastructures and critical public systems have become one of the primary targets of hackers globally, with ransomware attacks in the trend. According to the report, "current malicious actors have opted to demand heftier ransoms from targets that are more likely to pay, such as healthcare companies and local governments."
Read more »
Subscribe to: Posts (Atom)