Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Middle East. Show all posts

Israel's Intelligence Failure: Balancing Technology and Cybersecurity Challenges

On October 7, in a startling turn of events, Hamas carried out a planned invasion that escaped Israeli military detection, posing a serious intelligence failure risk to Israel. The event brought to light Israel's vulnerabilities in its cybersecurity infrastructure as well as its over-reliance on technology for intelligence gathering.

The reliance on technology has been a cornerstone of Israel's intelligence operations, but as highlighted in reports from Al Jazeera, the very dependence might have been a contributing factor to the October 7 intelligence breakdown. The use of advanced surveillance systems, drones, and other tech-based solutions, while offering sophisticated capabilities, also poses inherent risks.

Experts suggest that an excessive focus on technological solutions might lead to a neglect of traditional intelligence methods. As Dr. Yasmine Farouk from the Middle East Institute points out, "In the pursuit of cutting-edge technology, there's a danger of neglecting the human intelligence element, which is often more adaptive and insightful."

The NPR investigation emphasizes that cybersecurity played a pivotal role in the intelligence failure. The attackers exploited vulnerabilities in Israel's cyber defenses, allowing them to operate discreetly and avoid detection. The report quotes cybersecurity analyst Rachel Levy, who states, "The attackers used sophisticated methods to manipulate data and deceive the surveillance systems, exposing a critical weakness in Israel's cyber infrastructure."

The incident underscored the need for a comprehensive reassessment of intelligence strategies, incorporating a balanced approach that combines cutting-edge technology with robust cybersecurity measures.

Israel is reassessing its dependence on tech-centric solutions in the wake of the intelligence disaster. Speaking about the need for a thorough assessment, Prime Minister Benjamin Netanyahu said, "We must learn from this incident and recalibrate our intelligence apparatus to address the evolving challenges, especially in the realm of cybersecurity."

The October 7 intelligence failure is a sobering reminder that an all-encompassing and flexible approach to intelligence is essential in this age of lightning-fast technological innovation. Finding the ideal balance between technology and human intelligence, along with strong cybersecurity measures, becomes crucial as governments struggle with changing security threats. This will help to avoid similar mistakes in the future.



The Menace of GPS Spoofing in Aviation

GPS spoofing has been an extraordinary difficulty for the aviation industry in recent years. A threat that looked like it would only exist in the future is now a grim reality, with malicious GPS signal tampering causing flights worldwide to be misdirected.

GPS spoofing is a phenomenon in which phony signals are transmitted to trick GPS receivers into displaying false information about the position and trajectory of the aircraft. This not only presents a serious concern about the security of air travel, but it also calls into question the resilience of our technologically advanced and globally interconnected society.

Numerous reports demonstrate the growing frequency of GPS spoofing instances, reported from India to the Middle East. India's Directorate General of Civil Aviation (DGCA) has revealed some startling information. It is an urgent advisory that airlines should follow to strengthen safety measures against signal spoofing.

The impact of GPS spoofing on aviation is far-reaching, reports shed light on how flights are being led astray, with potential consequences that extend beyond mere inconvenience. The very essence of precision in air navigation, a cornerstone of modern aviation, is under threat. Pilots and air traffic controllers, relying heavily on GPS for accurate positioning and route planning, face the daunting challenge of distinguishing between authentic signals and deceptive ones.

The Times of India emphasizes the urgency for airlines to prepare standard operating procedures (SOPs) specifically addressing signal spoofing. Regulatory bodies are recognizing the need for a proactive approach to mitigate the risks associated with GPS manipulation. The article suggests that having robust protocols in place is essential to ensure the safety of air travel in the face of this emerging threat.

Reports delve into the mysterious occurrences of GPS spoofing in the skies of the Middle East, ringing alarm bells for Indian airlines. The DGCA's advisory underscores the seriousness of the situation, urging airlines to take immediate measures to safeguard their operations and passengers.

The growing danger of GPS spoofing serves as a sharp reminder of the dangers that come with our dependence on networked systems as we commemorate one year since the dawn of this technology-driven era. To keep ahead of those looking to use the digital landscape for evil, the aviation sector must quickly adapt, put in place strong countermeasures, and work with technological specialists.

GPS spoofing is becoming an increasingly serious problem, and aviation safety needs to be addressed comprehensively to keep up. It is within the industry's power to overcome these obstacles and guarantee that everyone can fly safely with increased awareness, readiness, and technical innovation.











Iranian APT34 Employs Menorah Malware for Covert Operations

 

In a recent cyber espionage operation, suspected Iranian hackers infected their targets with the newly discovered Menorah Malware, according to a report released on Friday. 

APT34, also known as OilRig, Cobalt Gypsy, IRN2, and Helix Kitten, is believed to have its headquarters in Iran. Since at least 2014, it has targeted Middle Eastern nations, primarily concentrating on governmental institutions and companies in the finance, oil, chemical, and telecommunications industries. 

Researchers from Trend Micro claim that in August, the hackers infected targets suspected to be headquartered in Saudi Arabia with the Menorah malware via a series of phishing emails.

The malware designed by the group is intended for cyber espionage; it has the ability to download files to the system, run shell commands, and upload particular files from a compromised device.

The SideTwist backdoor, which the organisation had previously utilised, is said to be similar to the new malware created by APT34. But the new version is more complex and more difficult to spot. 

“APT34 is in continuous-development mode, changing up and trying which routines and techniques will work,” the researchers explained. 

A tiny portion of data regarding the victims targeted by APT34 was discovered by Trend Micro during the investigation. They impersonated the Seychelles Licensing Authority in their phishing emails by using a fake file registration form.

According to the investigation, the target victim was probably based in Saudi Arabia because this document included price information in Saudi Arabian currency. 

APT34 has a history of taking part in prominent cyberattacks on numerous targets in the Middle East. A government official in Jordan's foreign ministry was the target of Saitama's backdoor last year. The gang attacked a number of Middle Eastern banks in 2021. 

“This group operates with a high degree of sophistication and seemingly vast resources, posing a significant cybersecurity challenge regionally and beyond,” the researchers added. "Organisations should regularly alert their staff to the numerous techniques that attackers use to target systems, confidential information, and personal information."

Iranian Attackers Employ Novel Moneybird Ransomware to Target Israeli Organizations

 

A new ransomware variant called "Moneybird" is currently being used by the threat actor "Agrius," which is thought to be funded by the Iranian government, to target Israeli organisations.

Since at least 2021, Agrius has been using various identities to deliberately target organisations in Israel and the Middle East while using data wipers in disruptive attacks. 

Researchers from Check Point who found the new ransomware strain believe that Agrius created it to aid in the growth of their activities, and that the threat group's use of "Moneybird" is just another effort to hide their footprints.

Modus operandi

According to Check Point researchers, threat actors first acquire access to company networks by taking advantage of flaws in servers that are visible to the public, giving Agrius its first network footing. 

The hackers then conceal themselves behind Israeli ProtonVPN nodes to launch ASPXSpy webshell variations concealed inside "Certificate" text files, a strategy Agrius has employed in the past. 

After deploying the webshells, the attackers employ open-source tools to move laterally, communicate securely using Plink/PuTTY, steal credentials using ProcDump, and exfiltrate data using FileZilla. These tools include SoftPerfect Network Scanner, Plink/PuTTY, ProcDump, and ProcDump.

The Moneybird ransomware executable is obtained by Agrius in the subsequent stage of the attack through reliable file hosting services like 'ufile.io' and 'easyupload.io.'

The C++ ransomware strain will encrypt target files using AES-256 with GCM (Galois/Counter Mode), creating distinct encryption keys for each file and appending encrypted metadata at their conclusion. This process begins immediately after the target files are launched.

In the instances observed by Check Point, the ransomware only targeted "F:User Shares," a typical shared folder on business networks used to hold company records, databases, and other items pertaining to collaboration.

This focused targeting suggests that Moneybird is more interested in disrupting business than in locking down the affected machines. 

Since the private keys used to encrypt each file are produced using information from the system GUID, file content, file path, and random integers, Check Point argues that data restoration and file decryption would be incredibly difficult.

Following the encryption, ransom notes are left on the affected systems, advising the victim to click the provided link within 24 hours for instructions on data recovery. 

"Hello WE ARE MONEYBIRD! All of your data encrypted! If u want you to restore them follow this link with in 24H," reads the Moneybird ransom note. 

Moneybird is thought to be ransomware, not a wiper, in contrast to earlier assaults connected to Agrius, and it is intended to generate money to support the threat actors' nefarious activities. 

However, in the case observed by Check Point Research, the ransom demand was so high that it was understood from the beginning that a payment would probably not be made, effectively rendering the attack harmful. 

"Yes negotiations could be possible but the demand was extremely high, which leads us to believe that it’s part of the trick. They knew no one would pay so the damage and data leaked was expected. It was not a wiper," stated Eli Smadga, Research Group Manager at Check Point Research.

An easy-to-use but powerful ransomware 

According to Check Point, Moneybird depends on an embedded configuration blob rather than command-line parsing, which would enable victim-specific customizations and increased deployment flexibility.

Because the ransomware's behaviour parameters are pre-defined and difficult to customise for each target or situation, the strain is inappropriate for mass marketing efforts. 

But for Agrius, Moneybird remains a powerful instrument for business disruption, and future advancements that result in the release of newer, more powerful versions may make it a serious danger to a wider variety of Israeli organisations.

Iranian Hackers Employ Telegram Malware to Target Middle East Government Organization

 

An Iran-linked hacking group, UNC3313, has been discovered deploying two new targeted malwares, tracked as GRAMDOOR and STARWHALE. These backdoors were employed as part of an assault against an unnamed Middle East government entity in November 2021. 

According to cybersecurity firm Mandiant, the UNC3313 hacking group is associated with the MuddyWater state-sponsored group. "UNC3313 conducts surveillance and collects strategic information to support Iranian interests and decision-making," researchers stated. "Targeting patterns and related lures demonstrate a strong focus on targets with a geopolitical nexus." 

Last month in January, U.S. intelligence agencies publicly categorized MuddyWater as a subordinate element of the Iranian Ministry of Intelligence and Security (MOIS) that has been active since at least 2018. UNC3313 initially gained access via spear-phishing messages, followed by the exploitation of publicly available offensive security tools and remote access software for lateral movement and maintaining access to the environment. 
 
Multiple victims were tricked into clicking a URL to download a RAR archive file stored on OneHub by the phishing emails, which opened the way for installing ScreenConnect, a genuine remote access program for gaining a foothold. 

"UNC3313 moved rapidly to establish remote access by using ScreenConnect to infiltrate systems within an hour of initial compromise," the researchers explained, adding the security incident was quickly contained and remediated. 
 
In the successive phases, threat actors escalated privileges, carried out internal reconnaissance, and attempted to download additional tools and payloads on remote systems by running obfuscated PowerShell commands. 
 
Researchers at Mandiant also spotted a previously undocumented backdoor called STARWHALE, a Windows Script File (.WSF) that implements received commands from a hardcoded command-and-control (C2) server via HTTP. 
 
The second implant unearthed by the researchers was GRAMDOOR, known for its capability to use the Telegram Bot API for network interactions with the attacker-controlled server to avoid detection, underlining the use of communication technologies to facilitate data exfiltration once again. 
 
The findings of Mandiant correlate with the latest joint advisory published by the cybersecurity firms from the U.K. and the U.S., accusing the MuddyWater group of espionage strikes aiming at the defense, local government, oil, and natural gas, and telecommunications industries worldwide.

Telecom Industries Targeted by Hackers in Middle East and Asia

 

According to analysts, criminals attacking telcos in the Middle East and Asia over the last six months have been connected to Iranian state-sponsored cybercriminals. Cyberespionage tactics use a potent combination of spear phishing, recognized malware, and genuine network tools to steal sensitive information and potentially disrupt supply chains. 

Analysts detailed their results in a study released on Tuesday, claiming that attacks are targeting a variety of IT services firms as well as utility companies. As per a report issued by Symantec Threat Hunter Team, a subsidiary of Broadcom, malicious actors seem to obtain access to networks via spear-phishing and then steal passwords to migrate laterally. 

“Organizations in Israel, Jordan, Kuwait, Saudi Arabia, the United Arab Emirates, Pakistan, Thailand, and Laos were targeted in the campaign, which appears to have made no use of custom malware and instead relied on a mixture of legitimate tools, publicly available malware, and living-off-the-land tactics,” researchers wrote in the report. 

However the hackers' identities are unknown, analysts believe they may be associated with the Iranian organization Seedworm, also known as MuddyWater or TEMP.Zagros. In the past, this organization has conducted significant phishing efforts targeting enterprises in Asia and the Middle East to steal passwords and gain resilience in the target's networks. 

Researchers discovered two IP addresses used throughout the operation that had already been related to Seedworm activity, as well as some tool overlap, particularly SharpChisel and Password Dumper, they claimed. Whilst there has already been threat activity from Iran against telcos in the Middle East and Asia—for instance, the Iranian Chafer APT targeted a major Middle East telco in 2018—a Symantec spokesperson termed the action detailed in the report "a step up" in its focus as well as a prospective harbinger of larger attacks to come. 

According to the analysts, a conventional attack in the latest campaign started with attackers penetrating a specified network and then trying to steal passwords to move laterally so that web shells could be launched onto Exchange Servers. 

Researchers dissected a particular attack launched in August on a Middle Eastern telecom provider. According to the experts, the first sign of penetration, in that case, was the development of a service to execute an unidentified Windows Script File (WSF). 

Scripts were then utilized by attackers to execute different domain, user discovery, and remote service discovery commands, and PowerShell was ultimately utilized to download and execute files and scripts. According to analysts, attackers also used a remote access tool that purported to query Exchange Servers of other firms. 

According to the researchers, attackers were interested in leveraging some hacked firms as stepping stones or just to target organizations other than the first one to build a supply-chain attack. 

“A suspected ScreenConnect setup MSI appeared to have been delivered in a zipped file named ‘Special discount program.zip,’ suggesting that it arrived in a spear-phishing email,” they wrote.

Hackers Exploit Glitch Platform to Host Malicious URLs

 

Threat actors are actively abusing the Glitch platform with the aim of hosting free credential-harvesting SharePoint phishing pages on this platform that perform credential theft. The campaign is targeting employees of major firms from the Middle East. 

The phishing campaign started in July 2021, and is, unfortunately, still active, stated security researcher Chad Anderson from DomainTools. The spear-phishing campaign included suspicious PDFs that do not contain any malicious content. 

Instead, these PDFs contain a link that leads the user to a malicious website hosted at Glitch, which would display a landing page that includes obfuscated JavaScript for stealing credentials. Glitch is a cloud-based hosting solution with a built-in code editor for operating and hosting software projects ranging from simple websites to large applications.

 Exploiting Glitch 

According to Bleeping Computer, Glitch is vulnerable to phishing assaults because they provide a free version through which users can design an app or a page and keep it running on the internet for five minutes. After that, the user has to enable it again manually.

“For example, one document directed the recipient to hammerhead-resilient-birch. glitch[.]me where the malicious content was stored. Once the five minutes is up, the account behind the page has to click to serve their page again,” Anderson explained.

“Spaces, where code can run and be hosted for free, are a gold mine for attackers, especially considering many of the base domains are implicitly trusted by the blocklists corporations ingest,” he added. “This delegation of trust allows for attackers to utilize a seemingly innocuous PDF with only a link to a trusted base domain to maneuver past defenses and lure in user trust.” 

The perfect combination for attackers is the platform’s credibility and the free version, which is the path for attackers to host malicious URLs for a short period of time, favorably treating Glitch’s domain with security tools. A team of experts went further with their research and discovered the Glitch website linked with a service of commercial malware sandbox. This included a screenshot of the Microsoft SharePoint phishing login page. 

The discovery of the PDF through which the researchers were directed to that website led to the identification of various HTML documents linked to that sample after it was submitted to Virus Total. The chunks of obfuscated JavaScript could be spotted after the pages were pulled. These code chunks passed through these malicious WordPress sites and then were used for the purpose of leaking credentials. Researchers attempted to speak to Glitch regarding the exploit of the platform, but the company is yet to respond.

New Cyber Espionage Group Targeting Ministries of Foreign Affairs

 

Researchers unveiled a new cyber espionage group on Thursday, which is behind the series of targeted operations attacking diplomatic entities and telecommunication corporations in Africa and the Middle East since at least 2017. 

The campaign, dubbed "BackdoorDiplomacy," involves exploiting flaws in internet-exposed devices like web servers to carry out various cyber-hacking operations, including moving laterally across the network to execute a custom implant called Turian which is capable of exfiltrating sensitive data stored on removable media. 

Jean-Ian Boutin, head of threat research at Slovak cybersecurity firm ESET said, "BackdoorDiplomacy shares tactics, techniques, and procedures with other Asia-based groups. Turian likely represents a next stage evolution of Quarian, the backdoor last observed in use in 2013 against diplomatic targets in Syria and the U.S." 

The cross-platform group, which targets both Windows and Linux operating systems, singles out management interfaces for networking equipment and servers with internet-exposed ports, most likely abusing unsecured flaws to implement the China Chopper web shell for initial access, which is then used to conduct reconnaissance and install the backdoor. 

F5 BIG-IP devices (CVE-2020-5902), Microsoft Exchange servers, and Plesk web hosting control panels are among the systems affected. Victims have been identified in many African countries' foreign ministries and those in Europe, the Middle East, and Asia. Furthermore, in Africa and at least one Middle Eastern country, telecom carriers have also been hit. 

The researchers stated, "In each case, operators employed similar tactics, techniques, and procedures (TTPs), but modified the tools used, even within close geographic regions, likely to make tracking the group more difficult."

BackdoorDiplomacy is also believed to overlap with previously reported campaigns operated by a Chinese-speaking group Kaspersky tracks as "CloudComputating.

According to ESET researchers, apart from its features to gather system information, take screenshots, and carry out file operations, Turian's network encryption protocol is nearly identical to that used by WhiteBird, a C++ backdoor operated by an Asia-based threat actor named Calypso that was installed within diplomatic organizations in Kazakhstan and Kyrgyzstan at the same timeframe as BackdoorDiplomacy.

Iranian Hacking Group Targets Several Middle East Companies Via Malicious Campaign

 

Security researchers at Trend Micro found proof of malicious activity by ‘MuddyWater’ automatically programmed tool (APT) that has aimed at Middle East organizations by utilizing the ScreenConnect remote management tool.

Security analysts at Trend Micro have dubbed ‘Earth Vetala’ the recently detected campaign. However, the latest finding expands on previous research published by Anomali last month. MuddyWater is an Iranian hacking group known for its offensives primarily against Middle Eastern nations.

Key findings from this investigation 

The details discovered by security researchers are listed below:

• The campaign is currently stealing all the credentials from browsers like Chrome, Chromium, Firefox, Opera, Internet Explorer, and Outlook. 

• The campaign is said to have leveraged spear-phishing emails containing embedded links to an authorized file-sharing service. 

• The goal of this campaign is to spread all the malicious packages that generally carry remote tools (ScreenConnect and RemoteUtilities) to manage all the enterprise systems remotely. 

Security researchers have discovered a spear phishing email supposedly from a government agency. However, these emails direct victims to a .ZIP file that contains a legitimate remote administration software developed by RemoteUtilities, which is capable of downloading and uploading files, capturing screenshots, browsing files and directories, and executing and terminating processes. 

Earth Vetala has been appropriating the post-exploitation that involves password/process- dumping tools, and customer backdoors. The threat actors have been perceived as instating communications with a command-and-control (C2) server to execute obfuscated PowerShell scripts. 

Security researchers at Trend Micro said the targets of the new wave of attacks are mainly organizations located in countries including Bahrain, Israel, Azerbaijan, Saudi Arabia, and the United Arab Emirates

In one particular instance involving a compromised host in Saudi Arabia, the researchers discovered that the adversary tried to unsuccessfully configure SharpChisel – a C# wrapper for a TCP/UDP tunneling tool called chisel – for C2 communications, before installing a remote access tool, a credential stealer, and a PowerShell backdoor capable of implementing arbitrary remote commands.

UAE Faces Cyber Pandemic, Cyberattacks In The Middle East On The Rise


The Middle East is suffering a "cyber pandemic" crisis due to coronavirus-themed cyberattacks on the rise this year, says Mohamed al-Kuwaiti, United Arab Emirates government's cybersecurity chief. Moving into a full online life, UAE witnessed an increase in cyberattacks, he further says. The UAE saw a record 250% increase in cybersecurity attacks in 2020. The pandemic compelled companies across the globe to look inside assess their assets, as criminal actors preyed on the digital world. 

"Al Kuwaiti said discussions were ongoing regarding lifting the ban on some Voice over Internet Protocol (VoIP) services in the UAE, such as WhatsApp and FaceTime calling," reports CNBC. Al Kuwaiti says that UAE became a primary target of attacks by the activists when it recently tied formal relations with Israel. Criminals targeted health and financial sectors in particular. The news provides a more in-depth insight into the troublesome cybersecurity challenges UAE and Middle East faces. In these regions, cyberattacks and breaches are prospering; most of these state-sponsored and undetected. According to Al Kuwaiti, various sources were behind this attack. Although the attacks come from all over the region, the main actor is Iran, he says. 

The issue reveals ongoing tension in the area, whereas Iran says that it is a target of cyberattacks. However, the Iranian foreign ministry has not offered any comments on the issue. Al Kuwaiti says that "phishing" and "ransomware" attacks are on the rise; these attacks have become more sophisticated and frequent. In a phishing attack, the hacker pretends to be a legitimate person or entity and steals sensitive information from the victim. Whereas in a ransomware attack, the hacker blocks access to information and demands a ransom from the victim. 

The latest research by cybersecurity firm TrendMicro says government IT infrastructures and critical public systems have become one of the primary targets of hackers globally, with ransomware attacks in the trend. According to the report, "current malicious actors have opted to demand heftier ransoms from targets that are more likely to pay, such as healthcare companies and local governments."