New Iranian Ransomware Groups Detected

Uploaded on 2020-09-23 in TECHNOLOGY--Hackers, GOVERNMENT-National, FREE TO VIEW

Iranian hackers using ransomware and are targeting companies in Russia, India, China, and Japan and two new groups have recently been identified. One highly professional, the other less so. 

One new group is deploying Dharma ransomware and based upon on forensic analysis, this is a non-sophisticated, financially-motivated gang that is new to cyber crime and they are going after easy hits, using publicly available tools in their activity.

The second  group are elite hackers associated with the Iranian government has been detected attacking the US private and government sector, according to a security alert sent by the FBI. 

While the alert, called a Private Industry Notification, didn't identify the hackers by name, sources say that the group is tracked by the larger cyber-security community under code names such as Fox Kitten or Pari site. Fox Kitten primarily operates by attacking high-end and expensive network equipment using exploits for recently disclosed vulnerabilities, before companies had enough time to patch devices.

Due to the nature of the devices they attack, targets primarily include large private corporations and government networks. Once the hackers gain access to a device, they install a web shell or backdoor, transforming the equipment into a gateway into the hacked network.

Amateur Hackers at Work

These threat hackers is not as greedy as they might be and their demand is typically between 1-5 Bitcoin (currently $11,700 - $59,000), which is on the lower range of ransom demand compared to other ransomware operations. They find victims by scanning IP address ranges on the internet for exposed Remote Desktop Connections (DP); their tool of choice for this stage is Massana, an open-source port scanner. Next, they launch a brute-force with Librate, a utility that tries a list of DP passwords in an attempt to find a combo that works. Once in, they sometimes try to elevate privileges by exploiting an old vulnerability in Windows 7 through 10.

Researchers at cyber security company Group-IB learned about this new group in June during an incident response engagement at a company in Russia. Based on forensic artifacts, they determined the attacker to be “Persian-speaking newbie hackers.”

Supporting this conclusion are clues from the next steps of the attack, which seem to lack the confidence of an actor that knows what to do once after breaching a network.

Further evidence that the operation is the work of a script kiddie from Iran comes from search queries in Persian to find other tools necessary for the attack and from the Persian-language Telegram channels providing them. The number of victims compromised by this threat actor remains unknown, just like the path that led the threat actor to Dharma ransomware-as-a-service (RAAS) operation.

An OPEC error by an Iranian threat actor has laid bare the inner workings of the hacking group by providing a rare insight into the "behind-the-scenes look into their methods."

IBM's X-Force Incident Response Intelligence Services (IRIS) got hold of nearly five hours-worth of video recordings of the state-sponsored group it calls IPTG which is also called Charming Kitten,  that it uses to train its operators. Some of the victims in the videos included personal accounts of US and Greek Navy personnel, in addition to unsuccessful phishing attempts directed against US state department officials and an unnamed Iranian-American philanthropist.

Researchers said part of this change may be attributed to the pandemic exposing a number of vulnerable hosts, with many employees working remotely, making an extremely popular attack vector for cyber criminals.  

US Dept. Of Justice:     MalwareBytes:     Threatpost:       Hacker News:     

 Oodaloop:     ZDNet:      Bleeping  Computer:   
 

You Might Also Read:

The New Generation Of Cyber Security Threats:


 

« The Dark Side Of The Web
Government, Cyber Attacks, Terrorism & Piracy »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Secure Thingz

Secure Thingz

Secure Thingz focus on developing and delivering advanced security solutions into the emerging Industrial Internet of Things (IIoT) and Critical Infrastructure markets.

Fidelis Security

Fidelis Security

Fidelis Security is a leading provider of extended threat detection and response (XDR) solutions for your security operations.

CyberESI

CyberESI

CyberESI is a Managed Security Service Provider providing 24x7 remote security monitoring and management of your mission-critical networks.

Huntsman Security

Huntsman Security

Huntsman Security provides technology to enable real-time security monitoring and immediate visibility of advanced threats and compliance issues.

Ntrepid

Ntrepid

Ntrepid products provide protection from web threats and enable organizations to safely conduct their online activities.

MAD Security

MAD Security

MAD Security is a premier provider of information and cybersecurity solutions that combine technology, managed security services, support and training.

Proteus

Proteus

Proteus is an Information Security consulting firm specialized in Risk Analysis and Executive Control.

Haven Group

Haven Group

Haven Group and its companies are a cyber security one-stop-shop for our clients offering a full range of cyber security services to our clients in a unified and united way.

Marlabs

Marlabs

Marlabs is a Digital Technology Solutions company that helps companies adopt digital transformation using a comprehensive framework including Digital Automation, Enterprise Analytics and Security.

Samurai Digital Consulting

Samurai Digital Consulting

Samurai Digital Security are a cyber and Information security services provider, specialising in penetration testing, incident response, user awareness and information governance solutions.

Valarian

Valarian

Valarian (formerly Worldr) is on a mission to build cutting-edge solutions that empower borderless collaboration in the new era of digital sovereignty.

Herzing College

Herzing College

Herzing College Ottawa offers an accelerated 12-month Cybersecurity Specialist training program. This program is developed by industry experts and based on leading IT security certifications.

Sendmarc

Sendmarc

Sendmarc automates the process of protecting your domain from being used in email impersonation and phishing attacks.

CyFlare

CyFlare

CyFlare’s security platform integrates your tools with ours – delivering true positives, automated remediation, and interactive analytics built for security management teams.

Kontra

Kontra

Kontra application security training is an interactive and intuitive learning experience that engages developers.

Freeze

Freeze

Freeze prevents attacks before they can start by finding, removing, and stopping the spread of information about your organization and employees.