An Escalating Cyber-Espionage Campaign In The Middle East

Cyber-attacks in the Middle East are on the rise and the US Dept. of US Homeland Security is warning US companies to “consider and assess” the possible impacts and threat of a cyberattack on their businesses following heightened tensions with Iran.

This is the first official guidance published by the government’s dedicated cyber advisory unit, the Cybersecurity and Infrastructure Security Agency following the assasination of a leading Iranian military commander.

Iran-linked hackers have been running spearphishing email campaigns against governmental organisations in Turkey, Jordan and Iraq in recent months in a likely effort to gather intelligence, according to research published by Dell Secureworks

Most of the targeting, began before the US killing of General Soleimani, the leader of the Iran’s Quds Force, in Baghdad early January.

The alert highlighted that Iranian hackers could be zeroing in on the defense industrial base, government agencies, academia and nongovernmental organisations. The campaign Secureworks’ Counter Threat Unit (CTU) has observed, with activity from mid-2019 to mid-January of 2020, has also targeted intergovernmental organisations and unknown entities in Georgia and Azerbaijan, according to the CTU, which declined to share how many entities, and which ones, have been targeted.

It’s not clear if the activity increase in these apparent espionage operations is in a response to the Soleimani killing or if it is just a natural progression of the campaigns and while lures from this group in the past have been related to intelligence themes, this espionage campaign is more “generic,” according to Secureworks. 

Based on the victims and code similarities, Secureworks assesses the activity to be the work of MuddyWater, an Iranian hacking group that has been known to target Middle Eastern, European, and North American nations.

A New RAT

To execute its attack, MuddyWater has been sending targets malicious Microsoft Excel Spreadsheet files through .zip archives in their spearphishing messages, CTU assesses. In one version of the campaign, the Excel file delivers a Remote Access Trojan (RAT) that has not previously been observed, according to Secureworks.

The RAT, which CTU is dubbing “ForeLord,” uses DNS tunneling so that requests are directed to legitimate DNS servers but then rerouted to malicious servers controlled by the attackers.

The tools MuddyWater appears to be deploying after initial intrusion, such as a variant of the Mimikatz malware, appear to show Iran may be interested in gaining credentials from its targets.

“After gaining initial access to a host, the threat actors dropped several tools to collect credentials, test those credentials on the network, and create a reverse SSL tunnel to provide an additional access channel to the network,” the researchers write.

Cyber-espionage and sabotage are the chief motivations for groups carrying out such attacks, according to the report. Their preferred mode of duping targets is through spear phishing, a practice of sending emails from ostensibly a trusted sender in order to trick them into revealing information.

CyberScoop:       CNBC:      Techcrunch:

You Might Also Read: 

Hamas Hackers Use New Malware:

 


 

« Where Is Iran's Cyber Response To It's General's Assassination?
The Hot Jobs In Cyber Security & How To Get One »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Telos

Telos

Telos offers cybersecurity solutions and services that empower and protect the world’s most security-conscious enterprises.

Nubo Software

Nubo Software

Nubo’s Virtual Mobile Infrastructure creates a virtual corporate device on your employee smartphones and tablets. Enable unlimited mobility without leaving any data at risk.

ZeroNorth

ZeroNorth

ZeroNorth provides a new approach to improve software and infrastructure security, simplify continuous compliance reporting and to create more cost-effective risk management programs.

WWPass

WWPass

WWPass is a global cybersecurity company that provides password-less authentication and client-side encryption technology.

Blockchain Research Institute (BRI)

Blockchain Research Institute (BRI)

Blockchain Research Institute (BRI) is an independent, global think-tank. We bring together the world’s top global researchers to undertake ground-breaking research on blockchain technology.

IP Twins

IP Twins

IP Twins offer a wide range of services related to domain names and online brand protection.

Mphasis

Mphasis

Mphasis is a leading applied technology services company applying next-generation technology to help enterprises transform businesses globally.

Mjenzi Cloud

Mjenzi Cloud

Mjenzi Cloud is a provider of cloud IaaS solutions including managed backup services, affordable & secure cloud virtual compute/storage/compute services, bare-metal services and cloud security.

nexSecurity

nexSecurity

neXSecurity is an IT and Information security consulting company with more than 2 decades worth of software development and security experience.

Wazuh

Wazuh

Wazuh is a free, open source and enterprise-ready security monitoring solution for threat detection, integrity monitoring, incident response and compliance.

Devolutions

Devolutions

Devolutions make best-in-class Privileged Access Management, Password Management, and Remote Connection Management solutions available to ALL organizations — including SMBs.

Clearnetwork

Clearnetwork

Clearnetwork specializes in managed cybersecurity solutions that enable both public and private organizations improve their security posture affordably.

Trojan Horse Security

Trojan Horse Security

Trojan Horse Security are specialists in corporate security. Our services include: Comprehensive Cyber Security Analysis, Penetration Testing, Network Security and Security Audits.

Secuvy

Secuvy

Secuvy leads in data security, privacy, compliance, and governance, offering a unified platform for proactive data discovery, management, protection, and enhanced data value.

Breathe Technology

Breathe Technology

Breathe Technology has been providing Managed IT Support/ Service Desk, Cloud Services, Cyber Security & Communications to businesses and schools since 2003.

Merkle Science

Merkle Science

Merkle Science provides next generation risk mitigation, compliance and forensics for crypto-native businesses, DeFi participants, financial institutions & government agencies.