Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Middle East. Show all posts
Ransomware
APT Group CISA Cyber Security Hacking Middle East OilRig Ransomware

New Cybersecurity Threat for the Middle Eastern Countries: OilRig Malware

 



Cybersecurity experts say that there is a new threat against Middle East organisations, and more specifically within the United Arab Emirates, and other Gulf countries. There is an Iranian gang cybercrime known as OilRig that aims to hunt login credentials for access into several organisations and personal systems, with a focus on infiltration of key infrastructures within the region.


Role of OilRig in Attacks

OilRig is another notorious state-sponsored hacking group. At other times, it was known by the designations APT43 and Cobalt Gipsy. Its origins date back to Iranian government sponsorship. And in previous campaigns, OilRig has mainly focused on exploiting exposed servers with web shells - a category of malicious software. This gives attackers the ability to take control of an affected server remotely and run PowerShell scripts from it. As such, such a gain in access allows it to facilitate attackers in finding deeper access into the system.

Once the group fully takes over the system, they exploit the flaw CVE-2024-30088. Microsoft discovered that it had patched this security vulnerability in June 2024 for the Windows operating system. This allows the attackers to elevate their privilege, which gives attackers access to the forbidden areas of the system, thus limiting their operations. According to Microsoft, this is a high-risk vulnerability with a base score of 7.0.


How the Malware Works

This attack utilises a malware referred to as STEEL HOOK, that is a very sophisticated piece of malware. STEALHOOK gathers sensitive information from the infected systems. It tumbles the gathered data with other legitimate data that would aid in its undetected operation. Then, it sends it back to the attackers using an Exchange server. This exfiltrated the data, keeping it hidden from cybersecurity defences. Since it moves as traffic, the attackers subtly can extract sensitive information without immediately causing an alarm.


Ties to Ransomware and Other APT Groups

OilRig's operations closely relate to another Iranian threat group known as FOX Kitten, which is particularly infamous for ransomware campaigns. These connections suggest a broader strategy by Iranian hacking groups in targeting and disrupting key industries, with a specific focus on the energy sector. According to Trend Micro, most of OilRig's targets fall in the energy sector; disruption in such industries could have ripple effects at regional and global levels. This sector is also important, and any extended interference could seriously affect daily life because energy supply lines take such a large part of this region's infrastructure.


Vulnerability Not Yet Flagged By CISA

Shockingly though there is a belief that this flaw is already being exploited, the United States Cybersecurity and Infrastructure Security Agency (CISA) has yet to include CVE-2024-30088 in the Known Exploited Vulnerabilities catalogue. Therefore, for organisations to decide and focus on patching the exploited vulnerabilities used by hackers, this catalogue becomes highly important. Its absence on the list means that there still exists an increased need for a general awareness of the threat and hence affected organisations need to patch up their systems actively.

Among the many malware campaigns that have lately been in view targeting the Middle East, OilRig seemed to reflect the rising complexity and frequency of cyber attacks. In fact, energy sector organisations need to be highly aware of such sophisticated attacks. Ultimately, the case of exploitation involving CVE-2024-30088 would reflect critical and constant risks given by state-sponsored cyber criminals. Meanwhile, it emphasises the advisability of timely software updates and the need for strong cybersecurity measures against unauthorised access and data theft.

In that respect, there is a call for protection of the information systems companies have from these advanced threats from corporate and individual entities. In this respect, OilRig can be prevented through great proactive steps and awareness in preventing these powerful cyberattacks from taking their worse course of follow-up actions.


Read more »
VPN
Data Leak malware Middle East Palo Alto VPN

Threat Actors Install Backdoor via Fake Palo Alto GlobalProtect Lure

 

Malware disguising itself as the authentic Palo Alto GlobalProtect Tool is employed by malicious actors to target Middle Eastern firms. This malware can steal data and run remote PowerShell commands to further penetrate company networks. A reliable security solution from Palo Alto Networks that supports multi-factor authentication and offers secure VPN access is called Palo Alto GlobalProtect. 

The tool is frequently used by businesses to guarantee that partners, contractors, and distant workers may securely access private network resources. By utilising Palo Alto GlobalProtect as bait, it is evident that attackers target high-value business entities that use enterprise software, as opposed to random users.

Trend Micro researchers have not been able to figure out how the malware is delivered, but based on the bait employed, they believe the attack begins with a phishing email. It checks for indicators of running in a sandbox before executing its main code. Then it sends profile information about the compromised system to the command and control (C2) server. 

As an additional evasion layer, the malware encrypts the strings and data packets that will be exfiltrated to the C2. The C2 IP detected by Trend Micro used a newly registered URL containing the "sharjahconnect" string, making it appear to be a legal VPN connection portal for Sharjah-based offices in the United Arab Emirates. Given the campaign's targeting scope, this choice allows the threat actors to blend in with normal operations while minimising warning signs that could raise the victim's suspicion. 

Using the Interactsh open-source tool, beacons are sent out at regular intervals to communicate the malware status with threat actors during the post-infection phase. While Interactsh is a legal open-source tool employed by pentesters, its linked domain, oast.fun, has already been spotted in APT-level operations, such as the APT28 campaigns. However, no attribution was provided in this operation involving the Palo Alto product lure. 

The following commands were received from the command and control server: 

  • time to reset: Stops malware operations for a specified duration. 
  • pw: Implements a PowerShell script and sends the result to the hacker's server.
  • pr wtime: Reads or writes a wait time to a file. 
  • pr create-process: Starts a new process and returns the output.
  • pr dnld: Downloads a file from a specified URL. 
  • pr upl: Uploads a file to a remote server. 
  • invalid command type: Returns this message if an unrecognized or erroneous command is encountered.

Trend Micro reports that, while the attackers are unknown, the operation looks to be highly targeted, with unique URLs for the targeted companies and newly established C2 domains to avoid blocklists.
Read more »
Trend Micro
Africa APT41 Cyber Security Cybersecurity Earth Baku Europe malware Middle East sophisticated attacks Threat actor Trend Micro

China-Backed Earth Baku Broadens Cyber Assaults to Europe, Middle East, and Africa

 

The China-backed threat actor Earth Baku has diversified its targeting footprint beyond the Indo-Pacific region to include Europe, the Middle East, and Africa starting in late 2022. Newly targeted countries include Italy, Germany, the U.A.E., and Qatar, with suspected attacks also detected in Georgia and Romania. Governments, media and communications, telecoms, technology, healthcare, and education sectors are among those singled out as part of the intrusion set.

Trend Micro researchers Ted Lee and Theo Chen, in an analysis published last week, noted that Earth Baku has updated its tools, tactics, and procedures (TTPs) in more recent campaigns. The group utilizes public-facing applications such as IIS servers as entry points for attacks, subsequently deploying sophisticated malware toolsets on the victim's environment. The findings build upon recent reports from Zscaler and Google-owned Mandiant, which also detailed the threat actor's use of malware families like DodgeBox (aka DUSTPAN) and MoonWalk (aka DUSTTRAP). Trend Micro has assigned them the monikers StealthReacher and SneakCross.

Earth Baku, a threat actor associated with APT41, has been known for its use of StealthVector as far back as October 2020. Their attack chains involve the exploitation of public-facing applications to drop the Godzilla web shell, which is then used to deliver follow-on payloads. StealthReacher has been classified as an enhanced version of the StealthVector backdoor loader, responsible for launching SneakCross, a modular implant and a likely successor to ScrambleCross that leverages Google services for its command-and-control (C2) communication.

The attacks are further characterized by the use of other post-exploitation tools such as iox, Rakshasa, and a Virtual Private Network (VPN) service known as Tailscale. Sensitive data exfiltration to the MEGA cloud storage service is accomplished by means of a command-line utility dubbed MEGAcmd. "The group has employed new loaders such as StealthVector and StealthReacher to stealthily launch backdoor components, and added SneakCross as their latest modular backdoor," the researchers stated.

"The persistence of Earth Baku is notable," said the researchers. "Their tactics show a sophisticated understanding of public-facing applications, allowing them to infiltrate various sectors with precision." They further explained that the group's post-exploitation tools are customized to fit specific operational needs, with iox and Rakshasa playing significant roles in maintaining prolonged access and stealth. Tailscale, the VPN service, ensures the attackers can manage their operations without detection, while MEGAcmd allows for efficient data exfiltration.

The continued evolution of Earth Baku's methods, including the introduction of new malware like SneakCross, highlights the growing complexity and threat posed by this actor. The group’s ability to adapt and refine their TTPs makes them a formidable adversary in the cyber landscape.
Read more »
Middle East
Blockchain Blockchain Security Blockchain Technology Customs and Excise Act Cyber Security Data Management Dubai Middle East

Dubai Customs Introduces Blockchain Platform to Streamline Commerce

 

Dubai Customs has recently unveiled a new blockchain platform aimed at streamlining commercial activities in the region, reinforcing its status as a technology-forward market. This initiative seeks to address and overcome obstacles hindering entrepreneurship in Dubai by leveraging blockchain technology to enhance transparency and facilitate secure data sharing. 

The newly introduced platform promises to offer secure and cost-effective solutions along with technology-driven logistics initiatives. Sultan Ahmed bin Sulayem, Chairman of Dubai’s Ports, Customs, and Free Zone Corporation, described the platform as a significant advancement in improving business and commercial operations in Dubai. “We are confident that the adoption of modern technologies such as blockchain will greatly contribute to enhancing the business environment and solidifying Dubai’s position as a key global trade hub,” Sulayem stated. 

Blockchain technology, or distributed ledger technology, distributes data across multiple nodes, thus avoiding centralization on a single server as seen in traditional systems. This feature significantly enhances security by making it difficult for malicious actors to infiltrate the network. Additionally, any information stored on blockchain networks is immutable, promoting transparency in business operations. 

Dubai officials are also keen on utilizing other blockchain features such as live tracking of goods and preventing fraud and counterfeiting. This is not the first time Dubai has explored blockchain technology. In May, a plan was revealed to position the region as one of the top ten economies proficient in metaverse technology. In a previous effort, Dubai collaborated with the Solana Foundation to establish a blockchain framework for its free economic zone, the Dubai Multi Commodities Centre (DMCC), in October 2023. This collaboration aimed to assist businesses in expanding their operations by leveraging blockchain technology. 

The new platform by Dubai Customs is expected to revolutionize the way businesses operate in the region, providing a more secure, transparent, and efficient environment for commercial activities. As Dubai continues to integrate cutting-edge technologies, it strengthens its position as a leading global trade hub and a beacon of innovation in the Middle East.
Read more »
UAE
cyber threat DDOS Attack Middle East Sensitive data Technology UAE

UAE Takes Measures to Strengthen Cybersecurity in the META Region

 



The United Arab Emirates (UAE) is emerging as a beacon of innovation and technological advancement in the Middle East, and its commitment to cybersecurity is a vital element in shaping its hyper-connected future. As the UAE's digital footprint expands, so too does the potential for cyberattacks that could disrupt critical infrastructure and compromise sensitive data.

Recent statistics reveal a concerning increase in the UAE's vulnerability to cyber threats, including ransomware and DDoS attacks. In a joint report by the UAE government and CPX security, it was found that nearly 155,000 vulnerable points exist within the UAE, with Dubai being the most concentrated area. Insider attacks, where individuals within organizations misuse their access to steal data, are also a growing concern as the country embraces cloud computing and artificial intelligence.

The financial implications of data breaches in the Middle East have also surged, with the region ranking second only to the US in terms of breach costs. The average cost of a data breach in the Middle East exceeded $8 million in 2023, highlighting the urgent need for robust cybersecurity measures. However, a critical gap remains, as nearly a quarter of oil and gas companies and government entities in the region lack dedicated cybersecurity teams.


The UAE is actively addressing these challenges through a multi-pronged approach to enhance its cybersecurity shield. Here are the top cybersecurity trends shaping the UAE's digital landscape in 2024:

1. Advanced Threat Detection: The UAE recognizes the limitations of traditional security methods and is investing in advanced threat detection systems powered by artificial intelligence (AI), machine learning (ML), and behavioural analytics. This approach enables real-time identification and response to sophisticated cyber threats.

2. Public-Private Partnerships (PPPs) for Enhanced Security: The UAE is forging partnerships between the government and private sector to create a united front against cyber threats. Collaborations with organisations like the UN's ITU and leading cybersecurity firms demonstrate a commitment to sharing expertise and resources.

3. Cloud Security on the Rise: With the increasing reliance on cloud storage and processing, the UAE is experiencing a surge in cloud security solutions. This growth is driven by investments from cloud service providers, proactive government measures, and the need for enhanced protection against cyberattacks.

4. Cybersecurity Education and Training: The UAE is investing in cybersecurity education and training programs to equip professionals with the necessary skills to combat cyber threats. From specialised courses in universities to workshops for businesses, there is a concerted effort to build a strong cybersecurity workforce in the country.

5. Zero Trust Security Model Gaining Traction: The adoption of the zero-trust security model is growing in the UAE as businesses move away from traditional network perimeters. This model constantly verifies users and devices before granting access to resources, offering enhanced security in a more open, cloud-based environment.

6. Regulatory Compliance: The UAE has implemented stringent cybersecurity regulations to safeguard critical infrastructure and sensitive data. Adhering to these regulations is mandatory for organisations operating in the country, ensuring a baseline level of cybersecurity.

7. Quantum Cryptography: The UAE is investing in the research and development of quantum cryptography technologies to protect against future cyber threats posed by quantum computers. This cutting-edge approach leverages the principles of quantum mechanics to secure communications.

8. Focus on Critical Infrastructure Protection: Protecting critical infrastructure is a top priority in the META region, with specific measures being implemented to safeguard sectors such as energy, transportation, and healthcare systems. These measures are essential for maintaining national security and ensuring the continuity of essential services.

9. Growth of Cybersecurity Startups and Innovations: The META region is witnessing a surge in cybersecurity startups that are developing tailored solutions to address regional needs. Initiatives like Dubai's Innovation Hub and Saudi Arabia's cybersecurity accelerators are nurturing a conducive environment for these startups to thrive.

10. Cyber Threat Intelligence Sharing: Sharing cyber threat intelligence is increasingly important in the META region. Governments and organisations are establishing platforms for real-time sharing of threat information, enhancing collective cybersecurity defence.

As the UAE continues to advance in AI, PPPs, and cloud security, the question remains whether these advancements will stay ahead of the ever-evolving tactics of cybercriminals. The future of cybersecurity depends on the UAE's ability to adopt cutting-edge solutions and anticipate and adapt to the next wave of threats. 


Read more »
Middle East
CR4T backdoor Cyber Attacks Cyberattack Cybersecurity evasive governments Hackers Middle East

Cyberattackers Employ Elusive "CR4T" Backdoor to Target Middle Eastern Governments

 

A recent revelation by Russian cybersecurity firm Kaspersky sheds light on a covert cyber campaign dubbed DuneQuixote, which has been clandestinely targeting government bodies in the Middle East. This campaign involves the deployment of a newly identified backdoor called CR4T.

Kaspersky's investigation, initiated in February 2024, suggests that the operation might have been underway for at least a year prior. The perpetrators have taken sophisticated measures to evade detection, employing intricate methods to shield their implants from scrutiny and analysis.

The attack commences with a dropper, available in two versions: a standard executable or a DLL file, and a manipulated installer for a legitimate software tool called Total Commander. Regardless of the variant, the dropper's main task is to extract a concealed command-and-control (C2) address, utilizing a unique decryption technique to obfuscate the server's location and thwart automated malware analysis tools.

The decryption process involves combining the dropper's filename with snippets of Spanish poetry embedded in its code, followed by calculating an MD5 hash to decode the C2 server address. Upon successful decryption, the dropper establishes connections with the C2 server and fetches a subsequent payload, employing a hardcoded ID as the User-Agent string in HTTP requests.

Kaspersky notes that the payload remains inaccessible unless the correct user agent is provided, indicating a deliberate effort to restrict access. Additionally, the payload may only be downloaded once per victim or for a limited time following the malware's release.

Meanwhile, the trojanized Total Commander installer exhibits some variations while retaining the core functionality of the original dropper. It omits the Spanish poem strings and incorporates additional anti-analysis checks to detect debugging or monitoring tools, monitor cursor activity, check system RAM and disk capacity, among other measures.

CR4T, the central component of the campaign, is a memory-only implant written in C/C++, facilitating command-line execution, file operations, and data transfers between the infected system and the C2 server. Kaspersky also identified a Golang version of CR4T with similar capabilities, including executing arbitrary commands and creating scheduled tasks using the Go-ole library. The Golang variant employs COM objects hijacking for persistence and utilizes the Telegram API for C2 communication, indicating a cross-platform approach by the threat actors.

The presence of the Golang variant underscores the threat actors' ongoing efforts to refine their techniques and develop more resilient malware. Kaspersky emphasizes that the DuneQuixote campaign poses a significant threat to entities in the Middle East, showcasing advanced evasion tactics and persistence mechanisms through the use of memory-only implants and disguised droppers masquerading as legitimate software.
Read more »
Sensitive data
Advanced Technology Data Breach Israel-Palestine tensions Israeli spyware Malicious actor Middle East Military Intelligence Sensitive data

Israel's Intelligence Failure: Balancing Technology and Cybersecurity Challenges

On October 7, in a startling turn of events, Hamas carried out a planned invasion that escaped Israeli military detection, posing a serious intelligence failure risk to Israel. The event brought to light Israel's vulnerabilities in its cybersecurity infrastructure as well as its over-reliance on technology for intelligence gathering.

The reliance on technology has been a cornerstone of Israel's intelligence operations, but as highlighted in reports from Al Jazeera, the very dependence might have been a contributing factor to the October 7 intelligence breakdown. The use of advanced surveillance systems, drones, and other tech-based solutions, while offering sophisticated capabilities, also poses inherent risks.

Experts suggest that an excessive focus on technological solutions might lead to a neglect of traditional intelligence methods. As Dr. Yasmine Farouk from the Middle East Institute points out, "In the pursuit of cutting-edge technology, there's a danger of neglecting the human intelligence element, which is often more adaptive and insightful."

The NPR investigation emphasizes that cybersecurity played a pivotal role in the intelligence failure. The attackers exploited vulnerabilities in Israel's cyber defenses, allowing them to operate discreetly and avoid detection. The report quotes cybersecurity analyst Rachel Levy, who states, "The attackers used sophisticated methods to manipulate data and deceive the surveillance systems, exposing a critical weakness in Israel's cyber infrastructure."

The incident underscored the need for a comprehensive reassessment of intelligence strategies, incorporating a balanced approach that combines cutting-edge technology with robust cybersecurity measures.

Israel is reassessing its dependence on tech-centric solutions in the wake of the intelligence disaster. Speaking about the need for a thorough assessment, Prime Minister Benjamin Netanyahu said, "We must learn from this incident and recalibrate our intelligence apparatus to address the evolving challenges, especially in the realm of cybersecurity."

The October 7 intelligence failure is a sobering reminder that an all-encompassing and flexible approach to intelligence is essential in this age of lightning-fast technological innovation. Finding the ideal balance between technology and human intelligence, along with strong cybersecurity measures, becomes crucial as governments struggle with changing security threats. This will help to avoid similar mistakes in the future.



Read more »
Spoofing
Aviation Firms Data Breach Electronic Data GPS GPS Jamming Middle East Navigation Spoofing

The Menace of GPS Spoofing in Aviation

GPS spoofing has been an extraordinary difficulty for the aviation industry in recent years. A threat that looked like it would only exist in the future is now a grim reality, with malicious GPS signal tampering causing flights worldwide to be misdirected.

GPS spoofing is a phenomenon in which phony signals are transmitted to trick GPS receivers into displaying false information about the position and trajectory of the aircraft. This not only presents a serious concern about the security of air travel, but it also calls into question the resilience of our technologically advanced and globally interconnected society.

Numerous reports demonstrate the growing frequency of GPS spoofing instances, reported from India to the Middle East. India's Directorate General of Civil Aviation (DGCA) has revealed some startling information. It is an urgent advisory that airlines should follow to strengthen safety measures against signal spoofing.

The impact of GPS spoofing on aviation is far-reaching, reports shed light on how flights are being led astray, with potential consequences that extend beyond mere inconvenience. The very essence of precision in air navigation, a cornerstone of modern aviation, is under threat. Pilots and air traffic controllers, relying heavily on GPS for accurate positioning and route planning, face the daunting challenge of distinguishing between authentic signals and deceptive ones.

The Times of India emphasizes the urgency for airlines to prepare standard operating procedures (SOPs) specifically addressing signal spoofing. Regulatory bodies are recognizing the need for a proactive approach to mitigate the risks associated with GPS manipulation. The article suggests that having robust protocols in place is essential to ensure the safety of air travel in the face of this emerging threat.

Reports delve into the mysterious occurrences of GPS spoofing in the skies of the Middle East, ringing alarm bells for Indian airlines. The DGCA's advisory underscores the seriousness of the situation, urging airlines to take immediate measures to safeguard their operations and passengers.

The growing danger of GPS spoofing serves as a sharp reminder of the dangers that come with our dependence on networked systems as we commemorate one year since the dawn of this technology-driven era. To keep ahead of those looking to use the digital landscape for evil, the aviation sector must quickly adapt, put in place strong countermeasures, and work with technological specialists.

GPS spoofing is becoming an increasingly serious problem, and aviation safety needs to be addressed comprehensively to keep up. It is within the industry's power to overcome these obstacles and guarantee that everyone can fly safely with increased awareness, readiness, and technical innovation.











Read more »
Middle East
APT34 Covert Attacks cyber espionage Iran hackers malware Middle East

Iranian APT34 Employs Menorah Malware for Covert Operations

 

In a recent cyber espionage operation, suspected Iranian hackers infected their targets with the newly discovered Menorah Malware, according to a report released on Friday. 

APT34, also known as OilRig, Cobalt Gypsy, IRN2, and Helix Kitten, is believed to have its headquarters in Iran. Since at least 2014, it has targeted Middle Eastern nations, primarily concentrating on governmental institutions and companies in the finance, oil, chemical, and telecommunications industries. 

Researchers from Trend Micro claim that in August, the hackers infected targets suspected to be headquartered in Saudi Arabia with the Menorah malware via a series of phishing emails.

The malware designed by the group is intended for cyber espionage; it has the ability to download files to the system, run shell commands, and upload particular files from a compromised device.

The SideTwist backdoor, which the organisation had previously utilised, is said to be similar to the new malware created by APT34. But the new version is more complex and more difficult to spot. 

“APT34 is in continuous-development mode, changing up and trying which routines and techniques will work,” the researchers explained. 

A tiny portion of data regarding the victims targeted by APT34 was discovered by Trend Micro during the investigation. They impersonated the Seychelles Licensing Authority in their phishing emails by using a fake file registration form.

According to the investigation, the target victim was probably based in Saudi Arabia because this document included price information in Saudi Arabian currency. 

APT34 has a history of taking part in prominent cyberattacks on numerous targets in the Middle East. A government official in Jordan's foreign ministry was the target of Saitama's backdoor last year. The gang attacked a number of Middle Eastern banks in 2021. 

“This group operates with a high degree of sophistication and seemingly vast resources, posing a significant cybersecurity challenge regionally and beyond,” the researchers added. "Organisations should regularly alert their staff to the numerous techniques that attackers use to target systems, confidential information, and personal information."
Read more »
Ransomware Gang
Cyber Attacks Iran hackers Israel Middle East ransomware attacks Ransomware Gang

Iranian Attackers Employ Novel Moneybird Ransomware to Target Israeli Organizations

 

A new ransomware variant called "Moneybird" is currently being used by the threat actor "Agrius," which is thought to be funded by the Iranian government, to target Israeli organisations.

Since at least 2021, Agrius has been using various identities to deliberately target organisations in Israel and the Middle East while using data wipers in disruptive attacks. 

Researchers from Check Point who found the new ransomware strain believe that Agrius created it to aid in the growth of their activities, and that the threat group's use of "Moneybird" is just another effort to hide their footprints.

Modus operandi

According to Check Point researchers, threat actors first acquire access to company networks by taking advantage of flaws in servers that are visible to the public, giving Agrius its first network footing. 

The hackers then conceal themselves behind Israeli ProtonVPN nodes to launch ASPXSpy webshell variations concealed inside "Certificate" text files, a strategy Agrius has employed in the past. 

After deploying the webshells, the attackers employ open-source tools to move laterally, communicate securely using Plink/PuTTY, steal credentials using ProcDump, and exfiltrate data using FileZilla. These tools include SoftPerfect Network Scanner, Plink/PuTTY, ProcDump, and ProcDump.

The Moneybird ransomware executable is obtained by Agrius in the subsequent stage of the attack through reliable file hosting services like 'ufile.io' and 'easyupload.io.'

The C++ ransomware strain will encrypt target files using AES-256 with GCM (Galois/Counter Mode), creating distinct encryption keys for each file and appending encrypted metadata at their conclusion. This process begins immediately after the target files are launched.

In the instances observed by Check Point, the ransomware only targeted "F:User Shares," a typical shared folder on business networks used to hold company records, databases, and other items pertaining to collaboration.

This focused targeting suggests that Moneybird is more interested in disrupting business than in locking down the affected machines. 

Since the private keys used to encrypt each file are produced using information from the system GUID, file content, file path, and random integers, Check Point argues that data restoration and file decryption would be incredibly difficult.

Following the encryption, ransom notes are left on the affected systems, advising the victim to click the provided link within 24 hours for instructions on data recovery. 

"Hello WE ARE MONEYBIRD! All of your data encrypted! If u want you to restore them follow this link with in 24H," reads the Moneybird ransom note. 

Moneybird is thought to be ransomware, not a wiper, in contrast to earlier assaults connected to Agrius, and it is intended to generate money to support the threat actors' nefarious activities. 

However, in the case observed by Check Point Research, the ransom demand was so high that it was understood from the beginning that a payment would probably not be made, effectively rendering the attack harmful. 

"Yes negotiations could be possible but the demand was extremely high, which leads us to believe that it’s part of the trick. They knew no one would pay so the damage and data leaked was expected. It was not a wiper," stated Eli Smadga, Research Group Manager at Check Point Research.

An easy-to-use but powerful ransomware 

According to Check Point, Moneybird depends on an embedded configuration blob rather than command-line parsing, which would enable victim-specific customizations and increased deployment flexibility.

Because the ransomware's behaviour parameters are pre-defined and difficult to customise for each target or situation, the strain is inappropriate for mass marketing efforts. 

But for Agrius, Moneybird remains a powerful instrument for business disruption, and future advancements that result in the release of newer, more powerful versions may make it a serious danger to a wider variety of Israeli organisations.
Read more »
User Security
Iranian hackers malware Middle East User Security

Iranian Hackers Employ Telegram Malware to Target Middle East Government Organization

 

An Iran-linked hacking group, UNC3313, has been discovered deploying two new targeted malwares, tracked as GRAMDOOR and STARWHALE. These backdoors were employed as part of an assault against an unnamed Middle East government entity in November 2021. 

According to cybersecurity firm Mandiant, the UNC3313 hacking group is associated with the MuddyWater state-sponsored group. "UNC3313 conducts surveillance and collects strategic information to support Iranian interests and decision-making," researchers stated. "Targeting patterns and related lures demonstrate a strong focus on targets with a geopolitical nexus." 

Last month in January, U.S. intelligence agencies publicly categorized MuddyWater as a subordinate element of the Iranian Ministry of Intelligence and Security (MOIS) that has been active since at least 2018. UNC3313 initially gained access via spear-phishing messages, followed by the exploitation of publicly available offensive security tools and remote access software for lateral movement and maintaining access to the environment. 
 
Multiple victims were tricked into clicking a URL to download a RAR archive file stored on OneHub by the phishing emails, which opened the way for installing ScreenConnect, a genuine remote access program for gaining a foothold. 

"UNC3313 moved rapidly to establish remote access by using ScreenConnect to infiltrate systems within an hour of initial compromise," the researchers explained, adding the security incident was quickly contained and remediated. 
 
In the successive phases, threat actors escalated privileges, carried out internal reconnaissance, and attempted to download additional tools and payloads on remote systems by running obfuscated PowerShell commands. 
 
Researchers at Mandiant also spotted a previously undocumented backdoor called STARWHALE, a Windows Script File (.WSF) that implements received commands from a hardcoded command-and-control (C2) server via HTTP. 
 
The second implant unearthed by the researchers was GRAMDOOR, known for its capability to use the Telegram Bot API for network interactions with the attacker-controlled server to avoid detection, underlining the use of communication technologies to facilitate data exfiltration once again. 
 
The findings of Mandiant correlate with the latest joint advisory published by the cybersecurity firms from the U.K. and the U.S., accusing the MuddyWater group of espionage strikes aiming at the defense, local government, oil, and natural gas, and telecommunications industries worldwide.
Read more »
Telecom
Asia Cyber Attacks Hackers Iranian Middle East Telecom

Telecom Industries Targeted by Hackers in Middle East and Asia

 

According to analysts, criminals attacking telcos in the Middle East and Asia over the last six months have been connected to Iranian state-sponsored cybercriminals. Cyberespionage tactics use a potent combination of spear phishing, recognized malware, and genuine network tools to steal sensitive information and potentially disrupt supply chains. 

Analysts detailed their results in a study released on Tuesday, claiming that attacks are targeting a variety of IT services firms as well as utility companies. As per a report issued by Symantec Threat Hunter Team, a subsidiary of Broadcom, malicious actors seem to obtain access to networks via spear-phishing and then steal passwords to migrate laterally. 

“Organizations in Israel, Jordan, Kuwait, Saudi Arabia, the United Arab Emirates, Pakistan, Thailand, and Laos were targeted in the campaign, which appears to have made no use of custom malware and instead relied on a mixture of legitimate tools, publicly available malware, and living-off-the-land tactics,” researchers wrote in the report. 

However the hackers' identities are unknown, analysts believe they may be associated with the Iranian organization Seedworm, also known as MuddyWater or TEMP.Zagros. In the past, this organization has conducted significant phishing efforts targeting enterprises in Asia and the Middle East to steal passwords and gain resilience in the target's networks. 

Researchers discovered two IP addresses used throughout the operation that had already been related to Seedworm activity, as well as some tool overlap, particularly SharpChisel and Password Dumper, they claimed. Whilst there has already been threat activity from Iran against telcos in the Middle East and Asia—for instance, the Iranian Chafer APT targeted a major Middle East telco in 2018—a Symantec spokesperson termed the action detailed in the report "a step up" in its focus as well as a prospective harbinger of larger attacks to come. 

According to the analysts, a conventional attack in the latest campaign started with attackers penetrating a specified network and then trying to steal passwords to move laterally so that web shells could be launched onto Exchange Servers. 

Researchers dissected a particular attack launched in August on a Middle Eastern telecom provider. According to the experts, the first sign of penetration, in that case, was the development of a service to execute an unidentified Windows Script File (WSF). 

Scripts were then utilized by attackers to execute different domain, user discovery, and remote service discovery commands, and PowerShell was ultimately utilized to download and execute files and scripts. According to analysts, attackers also used a remote access tool that purported to query Exchange Servers of other firms. 

According to the researchers, attackers were interested in leveraging some hacked firms as stepping stones or just to target organizations other than the first one to build a supply-chain attack. 

“A suspected ScreenConnect setup MSI appeared to have been delivered in a zipped file named ‘Special discount program.zip,’ suggesting that it arrived in a spear-phishing email,” they wrote.
Read more »
Phishing Campaign
Credential Theft Middle East Mobile Security Phishing Campaign

Hackers Exploit Glitch Platform to Host Malicious URLs

 

Threat actors are actively abusing the Glitch platform with the aim of hosting free credential-harvesting SharePoint phishing pages on this platform that perform credential theft. The campaign is targeting employees of major firms from the Middle East. 

The phishing campaign started in July 2021, and is, unfortunately, still active, stated security researcher Chad Anderson from DomainTools. The spear-phishing campaign included suspicious PDFs that do not contain any malicious content. 

Instead, these PDFs contain a link that leads the user to a malicious website hosted at Glitch, which would display a landing page that includes obfuscated JavaScript for stealing credentials. Glitch is a cloud-based hosting solution with a built-in code editor for operating and hosting software projects ranging from simple websites to large applications.

 Exploiting Glitch 

According to Bleeping Computer, Glitch is vulnerable to phishing assaults because they provide a free version through which users can design an app or a page and keep it running on the internet for five minutes. After that, the user has to enable it again manually.

“For example, one document directed the recipient to hammerhead-resilient-birch. glitch[.]me where the malicious content was stored. Once the five minutes is up, the account behind the page has to click to serve their page again,” Anderson explained.

“Spaces, where code can run and be hosted for free, are a gold mine for attackers, especially considering many of the base domains are implicitly trusted by the blocklists corporations ingest,” he added. “This delegation of trust allows for attackers to utilize a seemingly innocuous PDF with only a link to a trusted base domain to maneuver past defenses and lure in user trust.” 

The perfect combination for attackers is the platform’s credibility and the free version, which is the path for attackers to host malicious URLs for a short period of time, favorably treating Glitch’s domain with security tools. A team of experts went further with their research and discovered the Glitch website linked with a service of commercial malware sandbox. This included a screenshot of the Microsoft SharePoint phishing login page. 

The discovery of the PDF through which the researchers were directed to that website led to the identification of various HTML documents linked to that sample after it was submitted to Virus Total. The chunks of obfuscated JavaScript could be spotted after the pages were pulled. These code chunks passed through these malicious WordPress sites and then were used for the purpose of leaking credentials. Researchers attempted to speak to Glitch regarding the exploit of the platform, but the company is yet to respond.
Read more »
Ministry of foreign affairs
Africa attacks Cyber Crime Cyberespionage Middle East Ministry of foreign affairs

New Cyber Espionage Group Targeting Ministries of Foreign Affairs

 

Researchers unveiled a new cyber espionage group on Thursday, which is behind the series of targeted operations attacking diplomatic entities and telecommunication corporations in Africa and the Middle East since at least 2017. 

The campaign, dubbed "BackdoorDiplomacy," involves exploiting flaws in internet-exposed devices like web servers to carry out various cyber-hacking operations, including moving laterally across the network to execute a custom implant called Turian which is capable of exfiltrating sensitive data stored on removable media. 

Jean-Ian Boutin, head of threat research at Slovak cybersecurity firm ESET said, "BackdoorDiplomacy shares tactics, techniques, and procedures with other Asia-based groups. Turian likely represents a next stage evolution of Quarian, the backdoor last observed in use in 2013 against diplomatic targets in Syria and the U.S." 

The cross-platform group, which targets both Windows and Linux operating systems, singles out management interfaces for networking equipment and servers with internet-exposed ports, most likely abusing unsecured flaws to implement the China Chopper web shell for initial access, which is then used to conduct reconnaissance and install the backdoor. 

F5 BIG-IP devices (CVE-2020-5902), Microsoft Exchange servers, and Plesk web hosting control panels are among the systems affected. Victims have been identified in many African countries' foreign ministries and those in Europe, the Middle East, and Asia. Furthermore, in Africa and at least one Middle Eastern country, telecom carriers have also been hit. 

The researchers stated, "In each case, operators employed similar tactics, techniques, and procedures (TTPs), but modified the tools used, even within close geographic regions, likely to make tracking the group more difficult."

BackdoorDiplomacy is also believed to overlap with previously reported campaigns operated by a Chinese-speaking group Kaspersky tracks as "CloudComputating.

According to ESET researchers, apart from its features to gather system information, take screenshots, and carry out file operations, Turian's network encryption protocol is nearly identical to that used by WhiteBird, a C++ backdoor operated by an Asia-based threat actor named Calypso that was installed within diplomatic organizations in Kazakhstan and Kyrgyzstan at the same timeframe as BackdoorDiplomacy.
Read more »
MuddyWater
Cyber Attacks Earth Vetala Middle East MuddyWater

Iranian Hacking Group Targets Several Middle East Companies Via Malicious Campaign

 

Security researchers at Trend Micro found proof of malicious activity by ‘MuddyWater’ automatically programmed tool (APT) that has aimed at Middle East organizations by utilizing the ScreenConnect remote management tool.

Security analysts at Trend Micro have dubbed ‘Earth Vetala’ the recently detected campaign. However, the latest finding expands on previous research published by Anomali last month. MuddyWater is an Iranian hacking group known for its offensives primarily against Middle Eastern nations.

Key findings from this investigation 

The details discovered by security researchers are listed below:

• The campaign is currently stealing all the credentials from browsers like Chrome, Chromium, Firefox, Opera, Internet Explorer, and Outlook. 

• The campaign is said to have leveraged spear-phishing emails containing embedded links to an authorized file-sharing service. 

• The goal of this campaign is to spread all the malicious packages that generally carry remote tools (ScreenConnect and RemoteUtilities) to manage all the enterprise systems remotely. 

Security researchers have discovered a spear phishing email supposedly from a government agency. However, these emails direct victims to a .ZIP file that contains a legitimate remote administration software developed by RemoteUtilities, which is capable of downloading and uploading files, capturing screenshots, browsing files and directories, and executing and terminating processes. 

Earth Vetala has been appropriating the post-exploitation that involves password/process- dumping tools, and customer backdoors. The threat actors have been perceived as instating communications with a command-and-control (C2) server to execute obfuscated PowerShell scripts. 

Security researchers at Trend Micro said the targets of the new wave of attacks are mainly organizations located in countries including Bahrain, Israel, Azerbaijan, Saudi Arabia, and the United Arab Emirates

In one particular instance involving a compromised host in Saudi Arabia, the researchers discovered that the adversary tried to unsuccessfully configure SharpChisel – a C# wrapper for a TCP/UDP tunneling tool called chisel – for C2 communications, before installing a remote access tool, a credential stealer, and a PowerShell backdoor capable of implementing arbitrary remote commands.
Read more »
UAE
Cyber Attacks Iran Middle East UAE

UAE Faces Cyber Pandemic, Cyberattacks In The Middle East On The Rise


The Middle East is suffering a "cyber pandemic" crisis due to coronavirus-themed cyberattacks on the rise this year, says Mohamed al-Kuwaiti, United Arab Emirates government's cybersecurity chief. Moving into a full online life, UAE witnessed an increase in cyberattacks, he further says. The UAE saw a record 250% increase in cybersecurity attacks in 2020. The pandemic compelled companies across the globe to look inside assess their assets, as criminal actors preyed on the digital world. 

"Al Kuwaiti said discussions were ongoing regarding lifting the ban on some Voice over Internet Protocol (VoIP) services in the UAE, such as WhatsApp and FaceTime calling," reports CNBC. Al Kuwaiti says that UAE became a primary target of attacks by the activists when it recently tied formal relations with Israel. Criminals targeted health and financial sectors in particular. The news provides a more in-depth insight into the troublesome cybersecurity challenges UAE and Middle East faces. In these regions, cyberattacks and breaches are prospering; most of these state-sponsored and undetected. According to Al Kuwaiti, various sources were behind this attack. Although the attacks come from all over the region, the main actor is Iran, he says. 

The issue reveals ongoing tension in the area, whereas Iran says that it is a target of cyberattacks. However, the Iranian foreign ministry has not offered any comments on the issue. Al Kuwaiti says that "phishing" and "ransomware" attacks are on the rise; these attacks have become more sophisticated and frequent. In a phishing attack, the hacker pretends to be a legitimate person or entity and steals sensitive information from the victim. Whereas in a ransomware attack, the hacker blocks access to information and demands a ransom from the victim. 

The latest research by cybersecurity firm TrendMicro says government IT infrastructures and critical public systems have become one of the primary targets of hackers globally, with ransomware attacks in the trend. According to the report, "current malicious actors have opted to demand heftier ransoms from targets that are more likely to pay, such as healthcare companies and local governments."
Read more »
Subscribe to: Posts (Atom)