Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Iranian hackers. Show all posts
Windows
CPR Cyber Attacks Hacker attack Hacking Iranian hackers Isreal Linux Public Networks Windows

Iranian Hacker Group Void Manticore Linked to Destructive Cyber Attacks on Israel and Albania

 

A recent report from Check Point Research (CPR) has unveiled the activities of an Iranian hacker group known as Void Manticore, which has been linked to a series of destructive cyber attacks on Israel and Albania. Affiliated with Iran’s Ministry of Intelligence and Security (MOIS), Void Manticore operates alongside another Iranian threat actor, Scarred Manticore, to carry out these attacks. 

The group employs various online personas, such as "Karma" for attacks in Israel and "Homeland Justice" for those in Albania. Their tactics involve gaining initial access to target networks using publicly available tools and deploying custom wipers to render data inaccessible on both Windows and Linux systems. CPR’s analysis details a systematic collaboration between Void Manticore and Scarred Manticore. Initially, Scarred Manticore gains access and exfiltrates data from targeted networks. 

Control is then transferred to Void Manticore, which executes the destructive phase of the operation. This strategic partnership amplifies the scale and impact of their cyber attacks. The report underscores the similarities in the attacks on Israel and Albania, including the exploitation of specific vulnerabilities for initial access, the use of similar tools, and the coordinated efforts between the two groups. These overlaps suggest a well-established routine for the Iranian hacker groups. 

Void Manticore's toolkit includes several custom wipers, such as the CI Wiper, Partition Wipers like LowEraser, and the recently deployed BiBi Wiper, named after Israeli Prime Minister Benjamin Netanyahu. These wipers specifically target files and partition tables, using advanced techniques to corrupt files and disrupt system functionality. 

The revelation of Void Manticore's activities and its collaboration with Scarred Manticore underscores the growing sophistication and coordination of state-affiliated cyber threat actors. The combined use of psychological tactics and destructive malware represents a significant escalation in cyber warfare, posing substantial risks to national security and critical infrastructure. 

As these cyber threats continue to evolve, it is imperative for nations and organizations to strengthen their cybersecurity defenses and enhance their capabilities to detect, mitigate, and respond to such sophisticated attacks. The report from CPR serves as a crucial reminder of the persistent and evolving nature of cyber threats posed by state-affiliated actors like Void Manticore and Scarred Manticore.
Read more »
Threat Intelligence
Cyber Attacks Defence System Iranian hackers Iron Dome Threat Intelligence

Iranian Hacker Group Blast Out Threatening Texts to Israelis

 

Handala, an Iranian cyber outfit, has claimed to have taken down the Iron Dome missile defence system and breached Israel's radars. 

A major cyber attack is believed to have unfolded when the Handala hacking group, which is renowned for targeting Israeli interests, broke through Israel's radar defences and bombarded Israeli citizens with text messages. 

The criminal group claimed it had broken into the radar systems and delivered 500,000 text messages to Israeli civilians with an urgent reminder that Israel has a short window of time to fix the breached systems. 

Handala's hack on Israel has been extensive, encompassing cyberattacks on radar and Iron Dome missile defence systems. Rada Electronics, a defence technology firm associated with Israel's objectives, reportedly fell prey to Handala's intrusion, with leaked dashboard images purporting to validate the hack. 

The Cyber Express, a local media outlet, contacted Rada Electronics to verify the claims of this intrusion. However, as of this writing, no official comment or answer has been issued. Furthermore, a service provider in charge of Israeli consumer alerts and Israel's Cyber Security College allegedly suffered significant data breaches, resulting in terabytes of exposed information. 

History of Handala hacker group 

As a pro-Palestian outfit, the hackers behind it were inspired by Handala, a key national emblem of the Palestinian people. Naji al-Ali, a political cartoonist, invented the figure Handala in 1969 and it took on its current shape in 1973.

It represents the spirit of Palestinian identity and struggle, which al-Ali frequently depicts in his cartoons. Handala, named after the Citrullus colocynthis plant found in Palestine, represents resilience, with strong roots and bitter fruit that regrows when cut. 

Since al-Ali's assassination in 1987, Handala has been a significant symbol of Palestinian identity, displayed frequently on walls and buildings throughout the West Bank, Gaza, and Palestinian refugee camps. It has also been popular as a tattoo and jewellery symbol, and it has been adopted by movements such as Boycott, Divestment, and Sanctions, as well as the Iranian Green Movement, which is now known as the Handala hacker group. 

Handala's characteristic posture, with the back turned and hands linked behind, represents a rejection of imposed solutions and sympathy with the marginalised. The character, who continues to be 10 years old, represents al-Ali's age when he left Palestine, and embodies the desire to return to his homeland.

Furthermore, the inspired hacking group claimed several such attacks to preserve its identity as a Palestinian supporter. Although official Israeli sources have yet to validate Handala's claims, security experts in Israel have expressed concerns about the likelihood of Iranian cyberattacks on critical national infrastructure.
Read more »
MySQL
Cyber Security FBI Iranian hackers Log4j MySQL

FBI Warns of Hack Operations From Iranian Hackers

The FBI cautions that the Iranian threat group Emennet Pasargad may conduct hack-and-leak activities against US interests, precisely the November midterm elections, despite the group's primary focus on attacking Israeli leaders.

The US Treasury announced penalties over five Iranians and Emennet Pasargad, the firm they worked for, in November 2021 after the US issued a warning in November 2020 that Iranian hackers had taken advantage of known weaknesses to acquire voter registration data.

According to the information from the FBI, Emennet has been targeting organizations, primarily in Israel, with cyber-enabled information operations since at least 2020. These operations included an initial intrusion, data theft, and subsequent leak, followed by attenuation through online and social media forums, and in some cases, the implementation of destructive encryption malware.

The gang also targets businesses with PHP-powered websites or MySQL databases that can be accessed from the outside. The FBI claims hackers frequently launch attacks using open-source software for penetration testing.

The Bureau claims that Emennet executes false-flag attacks against Israel using online personas like hacktivists or cybercriminal groups. It warns that the company may use the same strategies to target US entities. The majority of the measures mentioned in the report were ones the group employed in the 2020 U.S. Presidential election.

The FBI issued a warning, stating that the gang would 'probably' target popular content-management tools like Drupal and WordPress. The infamous Log4j vulnerability has also been used by Emennet in cyberattacks on at least one U.S.-based company.

Seyyed Mohammad Hosein Musa Kazemi and Sajjad Kashian, two Iranian consultants who started working for Emennet Pasargad, initiated several operations intended to sow discord and undermine voters' confidence in the American electoral process, were the subject of a $10 million reward offered by the U.S. State Department in February.

Although still at large, Kazemi and Kashian are thought to be in Iran. The FBI's list of cyber criminals wanted now includes the two as well. The FBI also provides organizations with advice on how to reduce the risk posed by Emennet and a list of tactics, methods, and procedures (TTPs) related to the group.


Read more »
User Privacy
Android Users Iranian hackers Mobile Security Spyware User Privacy

Iranian Hackers Employ Novel RatMilad Spyware to Target Enterprise Android Users

 

Earlier this week, threat analysts at mobile security firm Zimperium Inc. zLabs detailed a newly unearthed form of Android spyware leveraged to target enterprise devices in the Middle East. 

Dubbed “RatMilad,” the original version of the spyware was identified as concealing behind a VPN and phone number spoofing app called Text Me. After discovering the spyware, the researchers also spotted a live sample of the malware family distributed through NumRent, an updated version of Text Me.

According to Zimperium, an Iran-based hacker group named AppMilad is distributing the phone spoofing app via links on social media and communication tools like Telegram, luring unsuspecting users into sideloading the app and granting it extensive permissions. Moreover, fraudsters have designed a product website to distribute the app and trick users into believing that it is an authentic app. 

Since the malicious app can trick users into obtaining a broad range of permissions, it can gain access to sensitive device data, such as location and MAC address, and user data, including phone calls, contact numbers, media files, and SMS messages. 

"Once installed and in control, the attackers could access the camera to take pictures, record video, and audio, get precise GPS locations, view pictures from the device, and more," Zimperium researcher Nipun Gupta stated.

Additionally, the hackers can access the camera and microphone of the device, which allows them to record audio/video and capture photos. Other features include collecting clipboard data, SIM information, and performing read/write activities. 

The scale of the infections is unknown, but the cybersecurity firm said it identified the spyware during a failed compromise attempt of a user's enterprise device. A post published on a Telegram channel employed to distribute the malware sample has been viewed over 4,700 times with more than 200 external shares, indicating a limited range.

"The RatMilad spyware and the Iranian-based hacker group AppMilad represent a changing environment impacting mobile device security," Richard Melick, director of mobile threat intelligence at Zimperium, explained. From Pegasus to PhoneSpy, there is a growing mobile spyware market available through legitimate and illegitimate sources, and RatMilad is just one in the mix." 

Prevention tips 

The easiest method to avoid falling victim to fake Android apps employed to propagate spyware and malware is to download new apps from official app stores like the Google Play Store, the Amazon Appstore, and the Samsung Galaxy Store. 

Additionally, the users are recommended to scan the app that is sideloaded onto a device and increase the mobile attack surface leaving data and users at risk.
Read more »
Mandiant Threat Intelligence
Cyber Security Iranian hackers Mandiant Threat Intelligence

Iranian Hackers Allegedly Exploiting Israeli Entities

Mandiant has been analyzing UNC3890, a group of hackers that uses social engineering lures and a possible watering hole to target Israeli maritime, government, energy, and healthcare institutions, for the past year.

With a major emphasis on shipping and the current marine war between Iran and Israel, Mandiant estimates with a low degree of confidence that this actor is connected to Iran. Although experts believe this actor is primarily interested in gathering intelligence, the data is used to assist a range of actions, from hack-and-leak to enabling kinetic warfare strikes like those that have recently hit the marine sector. 

According to John Hultquist, vice president of threat intelligence at Mandiant, "the maritime industry or the global supply chain is highly vulnerable to disruption, especially in countries where a state of the low-level conflict already exists."

Luring method 

Watering holes and data theft have been the primary entry points for UNC3890. The latter collected passwords and sent phishing lures using the group's C2 servers, which it posed as reputable services. 

The servers display false job offers and bogus advertising, and fake login pages for services like Office 365 and social media sites like LinkedIn and Facebook.

Additionally, the researchers discovered a UNC3890 server that included Facebook and Instagram account data that had been spoofed and might have been utilized in social engineering attempts.

A.xls file posed as a job offer but intended to install Sugardump—one of two distinct tools being utilized by the hackers —was probably one potential phishing lure employed by the attackers. 

A credential harvesting program called Sugardump can get passwords out of Chromium-based browsers. The second device is called Sugarush, a backdoor that may be used to connect to an implanted C2 and run CMD instructions. 

A reverse shell is established over TCP using Sugarush, as per experts, they call it "a modest but efficient backdoor." It scans for internet access. If connectivity is possible, Sugarush creates a fresh TCP connection via port 4585 to a built-in C&C address and waits for a response. The response is treated as a CMD command that should be executed.

Other tools utilized by UNC3890 include Metasploit, Northstar C2, and Unicorn (a tool for running a PowerShell downgrade attack and injecting shellcode into memory.)

Sugardump was discovered in several forms. The earliest includes two variations and dates until early 2021. This initial version merely keeps login details without exposing them. It might be partial malware or software made to work with other tools to exfiltrate data.

The second variant, which was created in late 2021 or early 2022, uses SMTP for C2 communication and Yahoo, Yandex, and Gmail accounts for exfiltration. The researchers make a connection between a specific phishing appeal and a social engineering movie that has an advertisement for an AI-powered robotic doll.





Read more »
Proofpoint
APT attacks China Cyber Attacks Iranian hackers Lazarus Group Malicious Emails Proofpoint

Proofpoint Analysis : APT Groups Target Journalists


APT organizations that are allegedly affiliated with China, North Korea, Iran, and Turkey are described in detail by researchers in a Proofpoint report released on Thursday. Attacks started in early 2021 and are still happening, according to researchers.

Targeted phishing attacks are linked to several threat actors who have independently focused on acquiring journalist credentials and sensitive data as well as tracking their locations. 

Targeting journalist

Proofpoint monitored the activities of the APT group TA412 also known as Zirconium, which attacked journalists based in the US. The nation-state hackers implanted a hyperlinked invisible item within an email body by using phishing emails that contained web beacons such as tracking pixels, tracking beacons, and web bugs.

Journalists based in the US who were being targeted were investigating matters of domestic politics and national security and writing about subjects that favored Beijing.
  • By February 2022, Zirconium had resumed its operations against journalists using the same tactics, with a particular emphasis on those who were reporting the Russia-Ukraine conflict.
  • Proofpoint discovered another Chinese APT organization known as TA459 in April 2022 that was targeting journalists with RTF files that, when viewed, released a copy of the Chinoxy malware. These hackers specifically targeted journalists covering Afghan foreign affairs.
  • Early in 2022, the TA404 group, also known as Lazarus, targeted a media company with a base in the United States. As lures, the attackers utilized phishing messages with job offers.
  • Finally, Turkish threat actors identified as TA482 planned campaigns to harvest credentials from journalists' social media accounts.
Not all hackers, however, are motivated to work hard to breach journalist data. This strategy has mostly been used by Iranian actors, like TA453 or Charming Kitten, who had sent emails to academics and Middle East policy experts while pretending to be reporters.

Finally, Proofpoint draws attention to the activities of Iranian hackers TA457, who initiated media-targeting efforts every 2 to 3 weeks between September 2021 and March 2022.

It's also essential to understand the wide attack surface—all the various web channels used for information and news sharing—that an APT attacker can exploit. Finally, exercising caution and confirming an email's identity or source can stop an APT campaign in its early stages.
Read more »
Travel Company
Black Shadow Check Point Cyber Attacks Iranian hackers Israel Travel Company

Iranian Hackers: Israeli Tourism Sites Targeted

A malware targeted websites for the Israeli public transportation companies Dan and Kavim, a children's museum, and a public radio blog. Reportedly, none of the sites were reachable to users by Saturday noon.

On Tuesday, the Sharp Boys hacking group claimed to have stolen data from Israeli travel websites, including ID numbers, addresses, credit card details, and etc.

Websites were compromised 

As per hackers, the affected websites are hotels.co.il, isrotel.com, minihotel.co.il, tivago.co.il, and danhotels.com. Tuesday morning, according to the company, hotels.co.il was inaccessible, however by Tuesday afternoon, the site had loaded. 

"Hello once more! If you don't want your data disclosed by us, contact us as soon as possible," on Friday night, the hackers posted a message on Telegram. A follow-up message stated: "They did not get in touch with us, the first list of data is here " the group said, posting the data online.

Later on Saturday, the gang uploaded what it claimed to be information about customers of the Dan transportation company and a travel agency in a new message that claimed to have more data. "You are under our control no matter where you go, even on your travels. Please keep our name in mind." In an image shared on a Telegram account, Sharp Boys made the statement. 

Everything to know about Sharp Boys cyber gang

According to Israeli media, Sharp Boys is a hacking group with links to Iran that conducts cyber espionage for illicit purposes. 

The Sharp Boys hacker group first appeared in December when it claimed to have affected two Israeli hiking websites. They also claimed to have taken control of the website's backend administration and released a spreadsheet that contained the personal data of 120,000 people. 

In December last year, the group hacked into the Shirbit insurance company in Israel and stole vast volumes of data. When the company declined to pay the $1 million ransom demand, it exposed the data. A spreadsheet that contained personal data and credit card details for 100,000 people was released.

According to a report released on Tuesday by the Israeli cybersecurity firm Check Point, the average weekly number of assaults on businesses in the travel and leisure industry increased globally by 60% in June 2022 compared to the first half of June 2021.
Read more »
Ransomware Attacks.
APT actors Cyber Attacks DLL Fortinet Iranian hackers Log4Shell Microsoft Exchange Server Ransomware Attacks.

Iranian Hackers Launch Cyberattack Against US and the UK 

 

Secureworks, a cybersecurity firm, has detected a new attack attributed to the Iranian hacker organization known as APT34 or Oilrig, which utilized custom-crafted tools to target a Jordanian diplomat. APT35, Magic Hound, NewsBeef, Newscaster, Phosphorus, and TA453 are advanced persistent threat (APT) actors known for targeting activists, government organizations, journalists, and other entities. 

A ransomware gang with an Iranian operational connection has been linked to a succession of file-encrypting malware operations targeting institutions in Israel, the United States, Europe, and Australia.

"Elements of Cobalt Mirage activities have been reported as Phosphorus and TunnelVision," Secureworks, which tracks the cyberespionage group, said today. "The group appears to have switched to financially motivated attacks, including the deployment of ransomware." 

The threat actor used recently obtained access to breach the network of a nonprofit organization in the United States in January 2022, where they built a web shell which was then used to drop further files, according to the researchers. 

The threat actor has seemingly carried out two types of intrusions, one of which involves opportunistic ransomware assaults using genuine tools like BitLocker and DiskCryptor for financial benefit. The second round of attacks is more focused, with the primary purpose of securing access and acquiring intelligence, with some ransomware thrown in for good measure.

Initial access routes are enabled by scanning internet-facing servers for web shells and exploiting them as a route to move laterally and activate the ransomware, which is vulnerable to widely reported holes in Fortinet appliances and Microsoft Exchange Servers. 

The spear-phishing email, which Fortinet discovered, was sent to a Jordanian diplomat and pretended to be from a government colleague, with the email address faked accordingly. The email included a malicious Excel attachment with VBA macro code that creates three files: a malicious binary, a configuration file, and a verified and clean DLL. The macro also adds a scheduled job that runs every four hours to provide the malicious application (update.exe) persistence. 

Another unique discovery concerns two anti-analysis methods used in the macro: the manipulating of sheet visibility in the spreadsheet and a check for the presence of a mouse, both of which may not be available on malware analysis sandbox services.

Secureworks detailed a January 2022 attack on an undisclosed US charity organization but said the exact means by which full volume encryption capability is triggered is unknown. In mid-March 2022, another attack aimed at a US local government network is thought to have used Log4Shell holes in the target's VMware Horizon architecture to perform reconnaissance and network scanning tasks. 

While the group has managed to breach a huge number of targets around the world, the security researchers believe that "their capacity to leverage on that access for financial gain or information collection is limited." Secureworks determines that the group's use of publicly available tools for ransomware activities proves that it is still a threat.
Read more »
Subscribe to: Posts (Atom)