Homeland Justice and Karma: Iranian Cyber Attacks Revealed

-

 Source: Iranian MOIS-Linked Hackers Behind Destructive Attacks on Albania and Israel (thehackernews.com)


Recent revelations have uncovered a worrying trend surrounding Iranian hackers linked to their Ministry of Intelligence and Security (MOIS), namely that they've been the main suspects behind destructive cyberattacks targeting Albania and Israel. These threat actors, also known as 'Void Manticore,' have been utilizing a wiper malware to target critical systems in both countries whilst self-identifying themselves as 'Homeland Justice' and 'Karma.' The threat actors' patterns also display a striking correlation with geopolitical events involving Israel, Albania, and Iran, as attacks targeting the latter victim country had been ongoing since July 2022, while attacks against the former had only begun in earnest following the Israel-Palestine war in October 2023. 

Void Manticore's attacks have caused significant disruption, as they've been characterized by a dual approach that fuses the impacts of data destruction with psychological warfare. This also indicates that their attacks seem more focused on disrupting potential adversaries of Iran and causing mayhem rather than stealing any specific or sensitive information for the time being. Some of their tactics include deploying wiper malware like CI Wiper and No-Justice to delete data while magnifying the impact and the media buzz surrounding the attacks by selectively leaking data to the public. The attacks don't stand out regarding method sophistication, as publicly available tools and known vulnerabilities seem to be their methods of choice when targeting vulnerable systems tied to either victim country. Subsequently, once access is secured, the attackers tend to lean on ubiquitous protocols such as Remote Desktop Protocol (RDP), Server Message Block (SMB), and File Transfer Protocol (FTP) for lateral movement amongst systems, all while searching for the optimal location to drop their payloads in. 

One of the intriguing features surrounding this attack and its threat group is the apparent overlap between Void Manticore and another threat group known as Scarred Manticore. This indicates some level of collaboration between the two groups throughout the attack process, culminating in the systematic handoff of targets before exploitation. Possessing this degree of coordination between two distinct threat groups once again underlines the sensitivity and sophisticated nature of these attacks conducted by the Iranian government. Furthermore, this fits in with the previously established modus operandi of the Iranian MOIS, as it has had a proven track record of coordinating attacks between various threat actors operating under its purview.

Ultimately, these attacks once again highlight the ever-growing need to raise awareness surrounding the institutionalized nature of cyber threats. With our world gradually becoming ever more unstable and cyber threats becoming ever more ubiquitous, thinking of cyber as solely a domain in which companies protect themselves against black hat hackers and organized criminals is an outdated notion, as nation-states across the world are increasingly using cyber-attacks as a means to achieve their geopolitical objectives. 


For a more detailed analysis surrounding the attacks, feel free to visit The Hacker News

Comments

Post a Comment

Popular posts from this blog

Configuring Secure Cloud Networks with VPN and NAT on AWS: A Personal Project

-
Image
As a passionate and driven cybersecurity enthusiast, I embarked on a side project to enhance my knowledge of cloud security and networking using AWS. This project involved setting up a secure network across two AWS regions using custom VPNs and NAT on EC2 instances. The hands-on experience not only deepened my understanding of AWS but also set me on a path towards better understanding the principles of cloud security as a whole. Objectives and Requirements Objective: Demonstrate configuring a secure network across two AWS regions using custom VPNs and NAT on EC2 instances. Requirements: Select two AWS cloud regions. Create a VPC in each region with distinct CIDR blocks. Configure a public and private subnet in each VPC. Deploy a VPN Gateway VM in the public subnet and a Private VM in the private subnet of each region. Establish a secure tunnel using VPN software between the VPN Gateway VMs. Configure the VPN Gateway VM to provide NAT functionality for the Private VM. Update route table...
Read more

How Misconfigurations Outweigh CVEs in Cybersecurity Risks

-
  Source:  New XM Cyber Research: 80% of Exposures from Misconfigurations, Less Than 1% from CVEs (thehackernews.com) Research conducted by XM Cyber has uncovered that a whopping 80% of security exposures are due to misconfigurations, while a comparatively minuscule 1% are from Common Vulnerabilities and Exposures (CVEs). Their research, which has studied over 40 million exposures, underlines that more efforts should  be directed  toward properly configuring systems to reduce cyber risk.  Focusing solely on  CVEs  results is a flawed security posture, as misconfigured systems can pose a more substantial risk to critical assets than previously understood. They can create more challenging vulnerabilities, especially since they do not appear on typical vulnerability scans that target software versions rather than configurations. Furthermore, with traditional security measures typically  being  CVE-focused, the odds of misconfigurations slipping ...
Read more

30+ Tesla Cars Compromised Due to TeslaLogger Vulnerability

-
Source:  30+ Tesla Cars Hacked Globally Using Third-Party Software (cybersecuritynews.com) Following up on our most recent blog post regarding the threat posed by misconfigurations, a recent incident impacting Tesla places those findings under a brighter spotlight. Due to vulnerabilities caused by misconfigurations in TeslaLogger, a third-party software used for data logging, security researcher Harish SG uncovered that  its insecure default settings could be exploited  to gain unauthorized access. After Harish discovered the issue, it  was reported  to the platform's maintainer, who  is expected  to have taken actions to mitigate or resolve that risk.  It is essential to clarify that the vulnerability and potential remote access associated with it did not reside in Tesla's vehicles or in Tesla's infrastructure but rather stemmed from misconfigurations surrounding the use of default credentials and improper storage of API keys by TeslaLogger. Desp...
Read more