Search This Blog

Showing posts with label Iranian hackers. Show all posts

FBI Warns of Hack Operations From Iranian Hackers

The FBI cautions that the Iranian threat group Emennet Pasargad may conduct hack-and-leak activities against US interests, precisely the November midterm elections, despite the group's primary focus on attacking Israeli leaders.

The US Treasury announced penalties over five Iranians and Emennet Pasargad, the firm they worked for, in November 2021 after the US issued a warning in November 2020 that Iranian hackers had taken advantage of known weaknesses to acquire voter registration data.

According to the information from the FBI, Emennet has been targeting organizations, primarily in Israel, with cyber-enabled information operations since at least 2020. These operations included an initial intrusion, data theft, and subsequent leak, followed by attenuation through online and social media forums, and in some cases, the implementation of destructive encryption malware.

The gang also targets businesses with PHP-powered websites or MySQL databases that can be accessed from the outside. The FBI claims hackers frequently launch attacks using open-source software for penetration testing.

The Bureau claims that Emennet executes false-flag attacks against Israel using online personas like hacktivists or cybercriminal groups. It warns that the company may use the same strategies to target US entities. The majority of the measures mentioned in the report were ones the group employed in the 2020 U.S. Presidential election.

The FBI issued a warning, stating that the gang would 'probably' target popular content-management tools like Drupal and WordPress. The infamous Log4j vulnerability has also been used by Emennet in cyberattacks on at least one U.S.-based company.

Seyyed Mohammad Hosein Musa Kazemi and Sajjad Kashian, two Iranian consultants who started working for Emennet Pasargad, initiated several operations intended to sow discord and undermine voters' confidence in the American electoral process, were the subject of a $10 million reward offered by the U.S. State Department in February.

Although still at large, Kazemi and Kashian are thought to be in Iran. The FBI's list of cyber criminals wanted now includes the two as well. The FBI also provides organizations with advice on how to reduce the risk posed by Emennet and a list of tactics, methods, and procedures (TTPs) related to the group.

Iranian Hackers Employ Novel RatMilad Spyware to Target Enterprise Android Users


Earlier this week, threat analysts at mobile security firm Zimperium Inc. zLabs detailed a newly unearthed form of Android spyware leveraged to target enterprise devices in the Middle East. 

Dubbed “RatMilad,” the original version of the spyware was identified as concealing behind a VPN and phone number spoofing app called Text Me. After discovering the spyware, the researchers also spotted a live sample of the malware family distributed through NumRent, an updated version of Text Me.

According to Zimperium, an Iran-based hacker group named AppMilad is distributing the phone spoofing app via links on social media and communication tools like Telegram, luring unsuspecting users into sideloading the app and granting it extensive permissions. Moreover, fraudsters have designed a product website to distribute the app and trick users into believing that it is an authentic app. 

Since the malicious app can trick users into obtaining a broad range of permissions, it can gain access to sensitive device data, such as location and MAC address, and user data, including phone calls, contact numbers, media files, and SMS messages. 

"Once installed and in control, the attackers could access the camera to take pictures, record video, and audio, get precise GPS locations, view pictures from the device, and more," Zimperium researcher Nipun Gupta stated.

Additionally, the hackers can access the camera and microphone of the device, which allows them to record audio/video and capture photos. Other features include collecting clipboard data, SIM information, and performing read/write activities. 

The scale of the infections is unknown, but the cybersecurity firm said it identified the spyware during a failed compromise attempt of a user's enterprise device. A post published on a Telegram channel employed to distribute the malware sample has been viewed over 4,700 times with more than 200 external shares, indicating a limited range.

"The RatMilad spyware and the Iranian-based hacker group AppMilad represent a changing environment impacting mobile device security," Richard Melick, director of mobile threat intelligence at Zimperium, explained. From Pegasus to PhoneSpy, there is a growing mobile spyware market available through legitimate and illegitimate sources, and RatMilad is just one in the mix." 

Prevention tips 

The easiest method to avoid falling victim to fake Android apps employed to propagate spyware and malware is to download new apps from official app stores like the Google Play Store, the Amazon Appstore, and the Samsung Galaxy Store. 

Additionally, the users are recommended to scan the app that is sideloaded onto a device and increase the mobile attack surface leaving data and users at risk.

Iranian Hackers Allegedly Exploiting Israeli Entities

Mandiant has been analyzing UNC3890, a group of hackers that uses social engineering lures and a possible watering hole to target Israeli maritime, government, energy, and healthcare institutions, for the past year.

With a major emphasis on shipping and the current marine war between Iran and Israel, Mandiant estimates with a low degree of confidence that this actor is connected to Iran. Although experts believe this actor is primarily interested in gathering intelligence, the data is used to assist a range of actions, from hack-and-leak to enabling kinetic warfare strikes like those that have recently hit the marine sector. 

According to John Hultquist, vice president of threat intelligence at Mandiant, "the maritime industry or the global supply chain is highly vulnerable to disruption, especially in countries where a state of the low-level conflict already exists."

Luring method 

Watering holes and data theft have been the primary entry points for UNC3890. The latter collected passwords and sent phishing lures using the group's C2 servers, which it posed as reputable services. 

The servers display false job offers and bogus advertising, and fake login pages for services like Office 365 and social media sites like LinkedIn and Facebook.

Additionally, the researchers discovered a UNC3890 server that included Facebook and Instagram account data that had been spoofed and might have been utilized in social engineering attempts.

A.xls file posed as a job offer but intended to install Sugardump—one of two distinct tools being utilized by the hackers —was probably one potential phishing lure employed by the attackers. 

A credential harvesting program called Sugardump can get passwords out of Chromium-based browsers. The second device is called Sugarush, a backdoor that may be used to connect to an implanted C2 and run CMD instructions. 

A reverse shell is established over TCP using Sugarush, as per experts, they call it "a modest but efficient backdoor." It scans for internet access. If connectivity is possible, Sugarush creates a fresh TCP connection via port 4585 to a built-in C&C address and waits for a response. The response is treated as a CMD command that should be executed.

Other tools utilized by UNC3890 include Metasploit, Northstar C2, and Unicorn (a tool for running a PowerShell downgrade attack and injecting shellcode into memory.)

Sugardump was discovered in several forms. The earliest includes two variations and dates until early 2021. This initial version merely keeps login details without exposing them. It might be partial malware or software made to work with other tools to exfiltrate data.

The second variant, which was created in late 2021 or early 2022, uses SMTP for C2 communication and Yahoo, Yandex, and Gmail accounts for exfiltration. The researchers make a connection between a specific phishing appeal and a social engineering movie that has an advertisement for an AI-powered robotic doll.

Proofpoint Analysis : APT Groups Target Journalists

APT organizations that are allegedly affiliated with China, North Korea, Iran, and Turkey are described in detail by researchers in a Proofpoint report released on Thursday. Attacks started in early 2021 and are still happening, according to researchers.

Targeted phishing attacks are linked to several threat actors who have independently focused on acquiring journalist credentials and sensitive data as well as tracking their locations. 

Targeting journalist

Proofpoint monitored the activities of the APT group TA412 also known as Zirconium, which attacked journalists based in the US. The nation-state hackers implanted a hyperlinked invisible item within an email body by using phishing emails that contained web beacons such as tracking pixels, tracking beacons, and web bugs.

Journalists based in the US who were being targeted were investigating matters of domestic politics and national security and writing about subjects that favored Beijing.
  • By February 2022, Zirconium had resumed its operations against journalists using the same tactics, with a particular emphasis on those who were reporting the Russia-Ukraine conflict.
  • Proofpoint discovered another Chinese APT organization known as TA459 in April 2022 that was targeting journalists with RTF files that, when viewed, released a copy of the Chinoxy malware. These hackers specifically targeted journalists covering Afghan foreign affairs.
  • Early in 2022, the TA404 group, also known as Lazarus, targeted a media company with a base in the United States. As lures, the attackers utilized phishing messages with job offers.
  • Finally, Turkish threat actors identified as TA482 planned campaigns to harvest credentials from journalists' social media accounts.
Not all hackers, however, are motivated to work hard to breach journalist data. This strategy has mostly been used by Iranian actors, like TA453 or Charming Kitten, who had sent emails to academics and Middle East policy experts while pretending to be reporters.

Finally, Proofpoint draws attention to the activities of Iranian hackers TA457, who initiated media-targeting efforts every 2 to 3 weeks between September 2021 and March 2022.

It's also essential to understand the wide attack surface—all the various web channels used for information and news sharing—that an APT attacker can exploit. Finally, exercising caution and confirming an email's identity or source can stop an APT campaign in its early stages.

Iranian Hackers: Israeli Tourism Sites Targeted

A malware targeted websites for the Israeli public transportation companies Dan and Kavim, a children's museum, and a public radio blog. Reportedly, none of the sites were reachable to users by Saturday noon.

On Tuesday, the Sharp Boys hacking group claimed to have stolen data from Israeli travel websites, including ID numbers, addresses, credit card details, and etc.

Websites were compromised 

As per hackers, the affected websites are,,,, and Tuesday morning, according to the company, was inaccessible, however by Tuesday afternoon, the site had loaded. 

"Hello once more! If you don't want your data disclosed by us, contact us as soon as possible," on Friday night, the hackers posted a message on Telegram. A follow-up message stated: "They did not get in touch with us, the first list of data is here " the group said, posting the data online.

Later on Saturday, the gang uploaded what it claimed to be information about customers of the Dan transportation company and a travel agency in a new message that claimed to have more data. "You are under our control no matter where you go, even on your travels. Please keep our name in mind." In an image shared on a Telegram account, Sharp Boys made the statement. 

Everything to know about Sharp Boys cyber gang

According to Israeli media, Sharp Boys is a hacking group with links to Iran that conducts cyber espionage for illicit purposes. 

The Sharp Boys hacker group first appeared in December when it claimed to have affected two Israeli hiking websites. They also claimed to have taken control of the website's backend administration and released a spreadsheet that contained the personal data of 120,000 people. 

In December last year, the group hacked into the Shirbit insurance company in Israel and stole vast volumes of data. When the company declined to pay the $1 million ransom demand, it exposed the data. A spreadsheet that contained personal data and credit card details for 100,000 people was released.

According to a report released on Tuesday by the Israeli cybersecurity firm Check Point, the average weekly number of assaults on businesses in the travel and leisure industry increased globally by 60% in June 2022 compared to the first half of June 2021.

Iranian Hackers Launch Cyberattack Against US and the UK 


Secureworks, a cybersecurity firm, has detected a new attack attributed to the Iranian hacker organization known as APT34 or Oilrig, which utilized custom-crafted tools to target a Jordanian diplomat. APT35, Magic Hound, NewsBeef, Newscaster, Phosphorus, and TA453 are advanced persistent threat (APT) actors known for targeting activists, government organizations, journalists, and other entities. 

A ransomware gang with an Iranian operational connection has been linked to a succession of file-encrypting malware operations targeting institutions in Israel, the United States, Europe, and Australia.

"Elements of Cobalt Mirage activities have been reported as Phosphorus and TunnelVision," Secureworks, which tracks the cyberespionage group, said today. "The group appears to have switched to financially motivated attacks, including the deployment of ransomware." 

The threat actor used recently obtained access to breach the network of a nonprofit organization in the United States in January 2022, where they built a web shell which was then used to drop further files, according to the researchers. 

The threat actor has seemingly carried out two types of intrusions, one of which involves opportunistic ransomware assaults using genuine tools like BitLocker and DiskCryptor for financial benefit. The second round of attacks is more focused, with the primary purpose of securing access and acquiring intelligence, with some ransomware thrown in for good measure.

Initial access routes are enabled by scanning internet-facing servers for web shells and exploiting them as a route to move laterally and activate the ransomware, which is vulnerable to widely reported holes in Fortinet appliances and Microsoft Exchange Servers. 

The spear-phishing email, which Fortinet discovered, was sent to a Jordanian diplomat and pretended to be from a government colleague, with the email address faked accordingly. The email included a malicious Excel attachment with VBA macro code that creates three files: a malicious binary, a configuration file, and a verified and clean DLL. The macro also adds a scheduled job that runs every four hours to provide the malicious application (update.exe) persistence. 

Another unique discovery concerns two anti-analysis methods used in the macro: the manipulating of sheet visibility in the spreadsheet and a check for the presence of a mouse, both of which may not be available on malware analysis sandbox services.

Secureworks detailed a January 2022 attack on an undisclosed US charity organization but said the exact means by which full volume encryption capability is triggered is unknown. In mid-March 2022, another attack aimed at a US local government network is thought to have used Log4Shell holes in the target's VMware Horizon architecture to perform reconnaissance and network scanning tasks. 

While the group has managed to breach a huge number of targets around the world, the security researchers believe that "their capacity to leverage on that access for financial gain or information collection is limited." Secureworks determines that the group's use of publicly available tools for ransomware activities proves that it is still a threat.

Iranian Hackers Employ Telegram Malware to Target Middle East Government Organization


An Iran-linked hacking group, UNC3313, has been discovered deploying two new targeted malwares, tracked as GRAMDOOR and STARWHALE. These backdoors were employed as part of an assault against an unnamed Middle East government entity in November 2021. 

According to cybersecurity firm Mandiant, the UNC3313 hacking group is associated with the MuddyWater state-sponsored group. "UNC3313 conducts surveillance and collects strategic information to support Iranian interests and decision-making," researchers stated. "Targeting patterns and related lures demonstrate a strong focus on targets with a geopolitical nexus." 

Last month in January, U.S. intelligence agencies publicly categorized MuddyWater as a subordinate element of the Iranian Ministry of Intelligence and Security (MOIS) that has been active since at least 2018. UNC3313 initially gained access via spear-phishing messages, followed by the exploitation of publicly available offensive security tools and remote access software for lateral movement and maintaining access to the environment. 
Multiple victims were tricked into clicking a URL to download a RAR archive file stored on OneHub by the phishing emails, which opened the way for installing ScreenConnect, a genuine remote access program for gaining a foothold. 

"UNC3313 moved rapidly to establish remote access by using ScreenConnect to infiltrate systems within an hour of initial compromise," the researchers explained, adding the security incident was quickly contained and remediated. 
In the successive phases, threat actors escalated privileges, carried out internal reconnaissance, and attempted to download additional tools and payloads on remote systems by running obfuscated PowerShell commands. 
Researchers at Mandiant also spotted a previously undocumented backdoor called STARWHALE, a Windows Script File (.WSF) that implements received commands from a hardcoded command-and-control (C2) server via HTTP. 
The second implant unearthed by the researchers was GRAMDOOR, known for its capability to use the Telegram Bot API for network interactions with the attacker-controlled server to avoid detection, underlining the use of communication technologies to facilitate data exfiltration once again. 
The findings of Mandiant correlate with the latest joint advisory published by the cybersecurity firms from the U.K. and the U.S., accusing the MuddyWater group of espionage strikes aiming at the defense, local government, oil, and natural gas, and telecommunications industries worldwide.

 Iran's MuddyWater Hacker Group is Exploiting New Malware


According to a notice issued by US security and law enforcement authorities, Iran-linked cyber activities are targeting a variety of government and private organizations in several areas across Asia, Africa, Europe, and North America.

"MuddyWater actors are poised to deliver stolen data and access to the Iranian government, as well as to share them with other cybercriminal actors," the agencies stated. The FBI, the Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Cyber Command Cyber National Mission Force (CNMF), and the National Cyber Security Centre of the United Kingdom have issued a combined advisory (NCSC) in the regard.

This year, the cyber-espionage actor was revealed to be working for Iran's Ministry of Intelligence and Security (MOIS), conducting malicious operations against a wide range of state and private organisations in Asia, Africa, Europe, and North America, including telecommunications, defence, local government, and the oil and natural gas sectors. 

MuddyWater is also known by the aliases Earth Vetala, MERCURY, Static Kitten, Seedworm, and TEMP. Aside from publicly disclosed vulnerabilities, the hacker group has already been seen using open-source tools to get access to sensitive information, deliver ransomware, and maintain resilience on victim networks. 

Late last month, Cisco Talos conducted a follow-up analysis and discovered a previously unknown malware campaign focused on Turkish private and governmental entities with the purpose of delivering a PowerShell-based backdoor. In harmful operations, MuddyWater actors use new variations of PowGoop malware as its main loader, which consists of a DLL loader and an Operating system downloader. The malicious programme poses as a valid Google Update executable file and is signed as such. 

A surveying script to identify and send data about target PCs back to the remote C2 server rounds out MuddyWater's arsenal of weapons. A newly discovered PowerShell backdoor was also installed, which is used to perform actions obtained from the attacker. 

The agencies advise enterprises to utilise multi-factor authentication whenever possible, limit the usage of administrator credentials, deploy phishing defences, and prioritise correcting known exploited vulnerabilities to provide barriers against potential attacks.

Iranian Hackers Employed a New Marlin Backdoor in a Surveillance Operation 


Iranian hackers are using the New Marlin backdoor as part of a long-running surveillance operation that began in April 2018. ESET, a Slovak cybersecurity firm, linked the attacks, entitled "Out to Sea," to a threat actor known as OilRig (aka APT34), firmly linking its actions to another Iranian group known as Lyceum as well (Hexane aka SiameseKitten).

Since 2014, the hacking organization has attacked Middle Eastern governments as well as a range of industry verticals, including chemical, oil, finance, and telecommunications. In April 2021, the threat actors used an implant dubbed SideTwist to assault a Lebanese company. 

"Victims of the campaign include diplomatic institutions, technological businesses, and medical organizations in Israel, Tunisia, and the United Arab Emirates," according to a report by ESET.

Lyceum has previously conducted campaigns in Israel, Morocco, Tunisia, and Saudi Arabia to single out IT companies. Since the campaign's discovery in 2018, the Lyceum infecting chains have developed to drop many backdoors, starting with DanBot and progressing to Shark and Milan in 2021. Later attacks, utilizing a new data harvesting virus dubbed Marlin, were detected in August 2021. 

The hacking organization discarded the old OilRig TTPs, which comprised command-and-control (C&C) connections over DNS and HTTPS. For its C2 activities, Marlin relies on Microsoft's OneDrive API. ESET identified parallels in tools and tactics between OilRig's backdoors and those of Lyceum as "too numerous and specific," stating the initial access to the network was gained through spear-phishing and management applications like ITbrain and TeamViewer. 

"The ToneDeaf backdoor connected with its C&C primarily over HTTP/S, but featured a secondary route, DNS tunneling, which did not work effectively," the researcher indicated. "Shark has similar problems, with DNS as its primary communication channel and an HTTP/S secondary one which isn't working." 

Marlin randomly selects the executable code's internal structure, denying the attacker a comprehensive assessment of instruction addresses needed to build the intended exploit payload. The findings also revealed the usage of several folders in a backdoor's file menu for sending and receiving data from the C&C server, the concurrent use of DNS as a C&C communication route while also utilizing HTTP/S as a backup communication mechanism.

Iranian Hackers Employs PowerShell Backdoor to Bypass Security Products


Security researchers from Cybereason have discovered that an advanced persistent threat organization with inbounds links to Iran has modified its malware toolset to incorporate a unique PowerShell-based implant named PowerLess Backdoor. 

The Boston-headquartered cybersecurity firm identified a new toolkit used by the Phosphorus group, also known as Charming Kitten and APT35, that installs malicious Microsoft PowerShell code to operate as a remote access backdoor to download further malware payloads.

"The PowerShell code runs in the context of a .NET application, thus not launching 'powershell.exe' which enables it to evade security products," Daniel Frank, a senior malware researcher at Cybereason, explained. "The toolset analyzed includes extremely modular, multi-staged malware that decrypts and deploys additional payloads in several stages for the sake of both stealth and efficacy." 

The hacking group that was first identified in 2017, has employed many attacks in recent years, including ones in which the adversary pretended to be journalists or academicians to trick targets into downloading malware and collecting confidential material. 

Last month, Check Point Research disclosed specifics of an espionage operation that concerned the hacking team abusing the Log4Shell vulnerabilities to install a modular backdoor dubbed CharmPower for follow-on attacks. 

Cybereason discovered that the latest additions to its arsenal form an entirely new toolset that includes the PowerLess Backdoor, which can download and run other modules like a browser info-stealer and a keylogger. Also potentially linked to the same developer of the backdoor are a number of other malware artifacts, counting an audio recorder, an earlier variant of the information stealer, and what the researchers suspect to be an unfinished ransomware variant coded in .NET. 

Additionally, infrastructure overlaps have been noticed between the Phosphorus group and a new ransomware strain named Memento, which initially emerged in November 2021 and took the unusual step of locking files into password-protected archives, then encrypting the password and erasing the original files after their attempts to encrypt the data directly were stopped by endpoint protection. 

"The activity of Phosphorus with regard to ProxyShell took place in about the same time frame as Memento. Iranian threat actors were also reported to be turning to ransomware during that period, which strengthens the hypothesis that Memento is operated by an Iranian threat actor,” Frank added.

FBI Issued a Warning to U.S Firms Concerning Iranian Hackers


The FBI issues a warning concerning Iranian hackers, posing as radical right organization Proud Boys during the 2020 presidential election, have now broadened operations, launching cyberattacks against a variety of industry divisions and spreading propaganda hostile to Saudi Arabia. 

"Over time, as Iranian operators have evolved both the strategic priorities and tradecraft, the hackers have matured into more proficient malicious attackers being capable of performing a whole spectrum of operations," read a Microsoft report.

Ransomware works by encrypting a device's data and making it inaccessible until the hacker receives a ransom payment. 

In a recent alert, the FBI stated, in addition to its election-related operation, the Emennet malicious attacker has been engaged in "conventional cyber exploitation activity," targeting industries such as news, transportation, tourism, oil and petrochemicals, telecoms, and financial services. It has been using VPNs to launch attacks on websites operated by certain software applications, such as WordPress, which cybercriminals can exploit to launch hacks in countries other than the United States, Europe, and the Middle East. 

The hackers employed multiple free source and commercial tools in activities, including SQLmap, Acunetix, DefenseCode, Wappalyzer, Dnsdumpster, Netsparker, wpscan, and Shodan, to mask location. The threat actor picked possible victims during the discovery phase of the hacking operations by browsing the web for prominent corporations representing various sectors. For initial access, the hackers would try to locate flaws in the program. 

"In certain cases, the goal may have been to target a large assortment of networks/websites inside a specific sector rather than a specific target company. Emennet would also attempt to discover hosting/shared hosting services in other scenarios," according to the FBI. 

Users must keep personal anti-virus and anti-malware products up to date, patch obsolete software, and make use of reliable web hosting companies, according to the authorities. In any case, Iran's state-sponsored hacker organizations aren't the only ones who have exploited the BIG-IP flaw.

Iran-Linked Hackers Attacked Israel's Government and Business Sector


In the latest episode of cyberwarfare between the rival states, an Iran-linked hacking gang hit seven Israeli targets in a 24-hour span, according to an Israeli cybersecurity firm. The Israeli "government and business sector" were among the targets of the "Charming Kitten" attack, according to a statement issued late Wednesday by Tel Aviv-based Check Point. 

"Check Point has blocked these attacks, as we witnessed communications between a server used by this group and the targets in Israel," said the firm. "Our reports of the last 48 hours prove that both criminal hacking groups and nation-state actors are engaged in the exploration of this vulnerability."

Charming Kitten, also known as Phosphorous, APT35, Ajax Security Team, ITG18, NewsBeef, and NewsCaster, is a threat actor that has been active since at least 2011 and has targeted entities in the Middle East, the United States, and the United Kingdom. FireEye classified the group as a nation-state-based advanced persistent threat on December 15, 2017, despite its lack of sophistication. Research conducted by FireEye in 2018 suggested that APT35 may be expanding their malware capabilities and intrusion campaigns. Since then, the gang has been known to use phishing to spoof firm websites, as well as false accounts and DNS domains to steal victims' passwords. 

Allegations of cyberwarfare between Iran and Israel have grown more serious in recent months. In October, Israel was implicated in a series of cyberattacks on Iranian infrastructure, including the country's fuel distribution system. The disruption had an unusual impact because it shut down the IT system that allowed Iranians to fill their tanks for free or at reduced prices using a digital card issued by the authorities.

Another reportedly Iran-linked hacker organization, "Black Shadow," claimed responsibility for a cyber-attack on an Israeli internet service provider in October. One of the sites targeted in that incident was Israel's largest LGBTQ dating service, with the hackers demanding ransom payments in exchange for sensitive private information such as the HIV status of the site's users. 

According to the finance ministry, Israel, which prides itself as a cybersecurity leader, hosted a "international cyber financial war game" last week. The United States, Britain, and the United Arab Emirates, which established diplomatic ties with Israel last year, were among those who took part. Germany, Switzerland, and the International Monetary Fund were all present, according to the ministry. Shira Greenberg, a chief economist at Israel's finance ministry, said the exercise underlined "the importance of coordinated global action by governments and central banks in the face of cyber-financial threats."

Iranian Hackers are Exploiting Microsoft and Fortinet Flaws


Australia, the United Kingdom, and the United States issued a combined advisory on Wednesday of active exploitation of Fortinet and Microsoft Exchange ProxyShell vulnerabilities by Iranian state-sponsored hackers. CVE-2021-34473, 2020-12812, 2019-5591, and 2018-13379 are the four vulnerabilities they urged administrators to fix right away.

"FBI and CISA have observed this Iranian government-sponsored APT group exploit Fortinet vulnerabilities since at least March 2021, and a Microsoft Exchange ProxyShell vulnerability since at least October 2021 to gain initial access to systems in advance of follow-on operations, which include deploying ransomware," a joint release stated. "Australian Cyber Security Centre (ACSC) is also aware this APT group has used the same Microsoft Exchange vulnerability in Australia."

Rather than targeting a specific industry, the authorities said that the attackers merely focused on exploiting vulnerabilities wherever they could and then attempting to convert that initial access into data exfiltration, a ransomware assault, or extortion. 

To maintain access, the attackers would use the Fortinet and Exchange vulnerabilities to add tasks to the Windows Task Scheduler and create new accounts on domain controllers and other systems that looked like existing accounts. The next step was to enable BitLocker, post a ransom note, and download the files through FTP. 

In May 2021, CISA and FBI noticed the adversary misusing a Fortigate appliance to acquire a foothold on a web server holding the domain for a US municipal government, in addition to exploiting the ProxyShell vulnerability to obtain access to vulnerable networks. The APT attackers "exploited a Fortigate appliance to access environmental control networks associated with a U.S.-based hospital specializing in healthcare for children," according to the advisory. 

This is the second time the US government has issued a warning on advanced persistent threat groups targeting Fortinet FortiOS servers by exploiting CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591 to attack government and commercial systems. 

The FBI and CISA released warnings in April that Fortinet gear vulnerabilities were being regularly exploited, and in July, the complete quartet of authorities listed Fortinet among the top 30 exploited vulnerabilities. Separately, Microsoft issued a warning on Wednesday about six Iranian groups that were utilizing vulnerabilities in the same set of products to spread ransomware.

Organizations should immediately patch software affected by the aforementioned vulnerabilities, enforce data backup and restoration procedures, implement network segmentation, secure accounts with multi-factor authentication, and patch operating systems, software, and firmware as and when updates are released as mitigations, according to the agencies.

Lyceum Threat Group Targeting Telecom Companies, ISPs Across Middle Eastern Countries


Cybersecurity researchers have uncovered a new cyberespionage campaign by Iranian hackers targeting the networks of telecoms companies and internet service providers (ISPs).

Tracked as Lyceum (also known as Siamese kitten or Hexane), the Iranian APT group has mainly targeted organizations in oil, gas, and telecom industries across Africa and Middle Eastern countries. But in recent times, the group has shifted its focus to include the technology sector.

Earlier this week, Accenture Cyber Threat Intelligence and Prevailing Adversarial Counterintelligence published a report detailing the threat group’s recent campaigns. Between July and October this year, Lyceum was identified in assaults against ISPs and telecoms organizations across Israel, Morocco, Tunisia, and Saudi Arabia using two new malware variants, dubbed Shark and Milan. 

The Shark backdoor is a 32-bit executable written in C# and .NET generates a configuration file for DNS tunneling or HTTP C2 communications, whereas Milan is a 32-bit remote access trojan (RAT) that can retrieve data from the compromised system and exfiltrate it to hosts derived from domain generation algorithms (DGAs). 

Both backdoors communicate with the groups' command-and-control (C2) servers. The APT maintains a C2 server network that connects to the group's backdoors, consisting of over 20 domains, including six that were earlier not associated with the threat actors. Previously, ClearSky and Kasperksy have disclosed the malware families. Additionally, researchers also discovered a new backdoor similar to newer versions of Milan, which sent beacons linked to potential attacks against a Tunisian telecom firm and a government agency in Africa. 

"It is unknown if the Milan backdoor beacons are coming from a customer of the Moroccan telecommunication operator or from internal systems within the operator. However, since Lyceum has historically targeted telecommunication providers and the Kaspersky team identified recent targeting of telecommunication operators in Tunisia, it would follow that Lyceum is targeting other north Africa telecommunication companies,” the researchers stated. 

At the time of the report’s publication, the cybersecurity teams stated that there are still multiple identified exploits that remain active. The hacking group typically employs credential stuffing attacks and brute-force attacks as an initial attack vector. Individual companies of interest are normally targeted, and then later used as a springboard to launch spear-phishing assaults against high-profile executives in an organization.

APT35 Continues Targeting Important US Citizens and Institutions


This year, the Google Threat Analysis Group (TAG) has noticed an increase in government-sponsored hacking. According to the data revealed in the blog post, Google has sent over 50,000 warnings of phishing and malware attempts to account holders thus far in 2021. The number of people has increased by 33% from the same period last year. 

APT35 operations dating back to 2014 have been found by FireEye. APT35, also known as the Newscaster Team, is an Iranian government-sponsored threat group that carries out long-term, resource-intensive operations to gather strategic intelligence. APT35 usually targets military, diplomatic, and government people in the United States and the Middle East, as well as organisations in the media, energy, and defense industrial base (DIB), as well as engineering, business services, and telecommunications. 

Since 2017, APT35 has been targeting politicians, NGOs, government institutions, journalists, and academia under the names Ajax Security Team, Charming Kitten, and Phosphorus. During the 2020 elections, the group also attempted to target former US President Donald Trump's election campaign staff. 

Charming Kitten made 2,700 attempts to gather information about targeted email accounts in a 30-day period between August and September 2019, according to Microsoft. There were 241 attacks and four compromised accounts as a result of this. Despite the fact that the initiative was allegedly directed at a presidential campaign in the United States, none of the stolen accounts had anything to do with the election. Microsoft did not say who was directly targeted, although Reuters later reported that it was Donald Trump's re-election campaign. The fact that only the Trump campaign utilized Microsoft Outlook as an email client backs up this claim.

 "For years, this group has hijacked accounts, deployed malware, and used novel techniques to conduct espionage aligned with the interests of the Iranian government," Google said. 

Phishing attacks including malicious URLs are the most popular approach employed by APT35. APT35, for example, infiltrated a website affiliated with a UK university in early 2021. The group then set up a phishing kit on the website in order to collect user credentials and began sending out emails with a link to the site. The users were instructed to log in using the link provided in order to participate in a fictitious webinar. 

APT35 also attempted to use the Google Play Store to distribute spyware disguised as a VPN client. If the app is installed on the phone, it can gather SMS and call records, as well as location data and contacts. The attempt was thwarted when Google removed the app from the Play Store.

Facebook says Iranian Hackers Targeted U.S. Military Personnel


On Thursday, Facebook announced that it had shut down approximately 200 accounts operated by a group of hackers in Iran as part of a cyber-spying operation that focused primarily on US military officials and others working in defense and aerospace firms. 

The group, termed 'Tortoiseshell' by security experts, utilized fraudulent online identities to interact with targets, establish confidence over time (often months), and lead them to other sites where they were duped into clicking malicious links that infected their devices with spying software, according to Facebook. 

In a blog post, Facebook's investigative team stated, "This activity had the hallmarks of a well-resourced and persistent operation while relying on relatively strong operational security measures to hide who's behind it." 

Thus according to Facebook, the group created dubious identities on numerous social media sites to look more legitimate, frequently impersonating recruiters or staff of aerospace and defense firms. LinkedIn, which is controlled by Microsoft, announced the removal of several accounts, while Twitter said it was "actively investigating" the data in Facebook's report. 

The virus was distributed via email, chat, and collaboration platforms, according to Facebook, including malicious Microsoft Excel spreadsheets. In a statement, a Microsoft spokesman said the company was aware and following this actor, and that it takes action when harmful behavior is detected. 

Google stated it had discovered and prevented phishing on Gmail as well as provided user warnings. Slack, a workplace messaging service, claimed it has taken action against hackers who exploited the platform for social engineering and had shut down any Workspaces that broke its rules. 

According to Facebook, the hackers utilized customized domains to entice their targets, including phony defense recruitment websites and internet infrastructure that spoofed a real job search website for the US Department of Labor. 

In a campaign that began in mid-2020, Facebook claimed the hackers mostly targeted users in the United States, as well as some in the United Kingdom and Europe. It did not name the firms whose employees were targeted, but its chief of cyber espionage, Mike Dvilyanski, said the "fewer than 200 individuals" who were targeted were being alerted. 

The campaign appeared to demonstrate an extension of the group's operations, which had previously been claimed to focus mostly on the Middle East's I.T. and other businesses, according to Facebook. A section of the malware employed by the organization was developed by Mahak Rayan Afraz (MRA), a Tehran-based IT firm with links to the Islamic Revolutionary Guard Corps, as per the inquiry. 

Mahak Rayan Afraz's contact information was not readily available to Reuters, and former employees of the firm did not respond to LinkedIn messages sent to them. A request for comment from Iran's mission to the United Nations in New York was not promptly reported. The allegations that MRA is involved in Iranian state cyber espionage are not new. MRA was one of the numerous contractors suspected of assisting the IRGC's elite Quds Force, according to cybersecurity firm Recorded Future. 

Iranian spies, like other espionage services, have long been alleged of farming out their missions to a variety of domestic contractors. Facebook stated the fraudulent domains had been prohibited from being shared, while Google said the domains had been placed to its "blocklist."

Israeli Chief-of-Staff was Hacked by an Iranian State-Sponsored Cybercriminal


According to the Times of Israel, an Iranian cybercriminal targeted the computer of a former IDF chief of staff and acquired access to his complete computer database. Yaser Balaghi was identified as the hacker by Channel 10. After the hack, he allegedly brags about it, while also unwittingly leaving a trail of his identity. Iran was compelled to stop a cyber operation that had targeted 1,800 persons around the world, including Israeli army generals, Persian Gulf human rights campaigners, and academics, due to this oversight. 

After Check Point, an Israeli cybersecurity firm, confirmed the Iranian hacking operation's existence two weeks ago, the Times of Israel was the first to report on it. The information from Check Point was also shown in a Channel 10 report on Tuesday. The attack began two months prior, according to Gil Shwed, CEO of Check Point Software Technologies, who told Israel Radio in late January that targets received email messages aimed at installing malware on their computers. More than a quarter of those who received the emails clicked them, unknowingly downloading spyware and allowing the hackers to steal data from their hard drives. 

Hezbollah and the Iranian regime have attacked Israel multiple times in the last two years. In the previous two years, Israel has been the target of several cyberattacks. Some of the infiltration attempts, according to officials, were carried out by hackers linked to Hezbollah and the Iranian government. 

Late in January, Israel's Electric Authority was the target of a significant cyberattack, according to Energy Minister Yuval Steinitz. He didn't say where the attack was coming from, though. ClearSky, an Israeli cybersecurity firm, said in June that it has detected a continuous wave of cyberattacks emanating from Iran against targets in Israel and the Middle East, with Israeli generals once again being among the targets. The company claims that the goal is espionage or other nation-state goals. 

According to ClearSky, the hackers utilize targeted phishing techniques to gather user identity data by creating phoney websites that appear legitimate and trustworthy. They were successful in penetrating 40 targets in Israel and 500 sites worldwide. Retired generals, employees of security consultancy organizations, and academic experts were among the targets in Israel.

Medical Professionals of U.S. and Israel Targeted in a 'BadBlood' Phishing Campaign


Email security firm, Proofpoint has exposed a hacking group linked with the Iranian government targeting nearly two-dozen medical researchers in Israel and U.S. The targeted medical professionals particularly work in the oncology, genetics, and neurology fields in both U.S. and Israel. Proofpoint described the phishing campaign as ‘BadBlood’ due to its nature of targeting medical professionals.

According to Proofpoint, the Iranian hacking group operates with different names such as TA453, Charming Kitten, Phosphorus, APT35, ITG18, Ajax Security Team, NewsBeef, and Newscaster. The hacking group that has been operating since 2011, is specifically targeting medical professionals, activists, and journalists in the Middle East, the U.K., and the U.S. 

To lure the victims into their trap, the Iranian hacking group employed a Gmail account in the name of prominent Israeli physicist, Daniel Zaifman. The attackers sent a series of malicious emails from the Zaifman account to the medical professionals claiming to contain sensitive information on Israel’s nuclear program. 

The malicious emails contained a link that directed the victims to a fake Microsoft login page and once opened, the malicious links extracted the users’ email credentials. Although the motives of this attack is not yet clear, many researchers believe the operation was conducted to acquire medical research or private health data on intelligence targets of interest to Tehran. 

“While this campaign may represent a shift in TA453 targeting overall, it is also possible it may be an outlier, reflective of a specific priority intelligence tasking given to TA453. While targeting medical experts in genetics, neurology and oncology may not be a lasting shift in TA453 targeting, it does indicate at least a temporary change in TA453 collection priorities. BadBlood is aligned with an escalating trend globally of medical research being increasingly targeted by espionage motivated focused threat actors,” Proofpoint stated.

Iranian Hacker Group Using New Tools to Target Government Agencies of Broader Middle East Region


In the part of their attacks on companies and government agencies in the broader Middle East region, an Iranian cyberattack group has begun utilizing new tools, including a custom download utility and commodity ransomware, as per Broadcom's Symantec division. 

Dubbed as Seedworm, the group gives off an impression of being deploying a few variations of a new downloader, known as PowGoop, to the recent targets.

The utilization of the noxious program doesn't demonstrate a shift to ransomware-based cybercrime for the group, yet rather a reception of a more extensive variety of strategies for countering defensive measures. 

The software downloads and decrypts 'obfuscated' PowerShell scripts to run on compromised frameworks, utilizing the basic utility as an approach to execute code. 

The researchers additionally state that the group is sending ransomware, known as Thanos, which previously appeared available to be purchased not long ago and gives off an impression of being utilized by Seedworm for its 'destructive capacities'.

"Looking at Seedworm's history, it is apparent they've been focused on Middle East-based government organizations for years," "We don't believe that they are directly focused on monetary gain. From our standpoint, the Thanos victim organizations [represent] very few [targets] — just a handful at the most," says Vikram Thakur, Symantec's technical director. 

The researchers were moderately sure, nonetheless, in ascribing PowGoop to the Iranian state actor.

"Seedworm has been one of the most active Iran-linked groups in recent months, mounting apparent intelligence-gathering operations across the Middle East," Symantec researchers stated in their analysis.  
"While the connection between PowGoop and Seedworm remains tentative, it may suggest some retooling on Seedworm's part. Any organizations that do find evidence of PowGoop on their networks should exercise extreme caution and perform a thorough investigation." 

"There is nothing sophisticated about PowGoop aside from it being custom-made and that it uses multiple layers of encoded PowerShell scripts to effectively download and execute PS-based payloads," Thakur added later.

PowGoop has additionally been identified by various other companies. Security firm Palo Alto Networks associated PowGoop with two ransomware attacks on companies in the Middle East and North Africa at the beginning of September.

Microsoft Confirms Cyber-Attacks on Biden and Trump Campaigns

Microsoft reports breaching of email accounts belonging to individuals associated with the Biden and Trump election campaigns by Chinese, Iranian, and Russian state-sponsored hackers. 

Tom Burt, Corporate VP for Customer Security and Trust at Microsoft, revealed the occurrences in a detailed blog post after Reuters announced about a portion of the Russian attacks against the Biden camp. 

"Most of these assaults" were recognized and blocked, which is what he added later and revealed in the blog post with respect to the additional attacks and furthermore affirmed a DNI report from August that asserted that Chinese and Iranian hackers were likewise focusing on the US election process.

 As indicated by Microsoft, the attacks conducted by Russian hackers were connected back to a group that the organization has been tracking under the name of Strontium and the cybersecurity industry as APT28 or Fancy Bear. 

 While Strontium generally carried out the spear-phishing email attacks, as of late, the group has been utilizing 'brute-force' and password spraying techniques as an integral technique to breaching accounts. 

Then again, the attacks by Iranian hackers originated from a group tracked as Phosphorous (APT35, Charming Kitten, and the Ajax Security Group). 

These attacks are a continuation of a campaign that began a year ago, and which Microsoft recognized and cautioned about in October 2019. At that point, Microsoft cautioned that the hackers focused on "a 2020 US presidential campaign" yet didn't name which one. 

Through some open-source detective work, a few individuals from the security community later linked the attacks to the Trump campaign. 

What's more, only a couple of days back Microsoft affirmed that the attacks are indeed focused on the Trump campaign, yet in addition unveiled a new activity identified with the said group. The attacks were likewise identified by Chinese groups. 

While presently there are several hacking groups that are assumed to work under orders and the security of the Chinese government, Microsoft said that the attacks focusing on US campaigns originated from a group known as Zirconium (APT31), which is a similar group that Google spotted not long ago, in June. 

Microsoft says it detected thousands of attacks coordinated by this group between March 2020 and September 2020, with the hackers accessing almost some 150 accounts during that time period.