Tag Archive for: Iranian

Cybercriminals expand targeting of Iranian bank customers with known mobile malware

/in


Researchers have uncovered more than 200 fake mobile apps that mimic major Iranian banks to steal information from their customers.

The campaign was first discovered in July of this year, but since then, the cybercriminals have expanded their capabilities, according to U.S.-based cybersecurity firm Zimperium.

Initially, the threat actor behind the campaign created 40 credential-harvesting apps imitating four major Iranian banks, including Bank Mellat, Bank Saderat, Resalat Bank and Central Bank of Iran.

These apps mimicked legitimate versions found on the popular Iranian marketplace Cafe Bazaar and were distributed through several phishing websites. The first campaign lasted from December 2022 until May 2023.

In the ongoing campaign detected by Zimperium, the hackers created malicious apps that now imitate 12 Iranian banks. Once installed, these apps also scan victims’ phones to find cryptocurrency wallet apps — an indication that they could be targeted in the future, researchers said.

The earlier versions of fake apps could steal banking login credentials and credit card information, intercept SMS traffic to steal one-time passwords used for authentication, and hide app icons to prevent uninstallation.

In a new campaign, the hackers added more capabilities to their malware to make it easier to harvest credentials and steal data. The hackers also narrowed their focus to Xiaomi and Samsung devices to execute some of the malware features, according to the report.

Other evidence suggests that the attackers are now likely working on a malware variant that targets iOS devices, the researchers said.

In addition to malicious apps, the same threat actor is linked to phishing attacks targeting customers of the same banks. “The phishing campaigns used are sophisticated, trying to mimic original sites in the closest detail,” researchers said. The data stolen by the phishing sites is sent to Telegram channels controlled by hackers.

It is not yet clear which threat actor is behind this campaign and how many users were affected by it.

Last week, researchers at Microsoft uncovered a similar information-stealing campaign targeting customers of Indian banks with mobile malware. The…

Source…

Iranian Hacking Group Attacks Pennsylvania Water Authority

/in


CISA Investigating Iranian Hacking Group Attack on Pennsylvania Water Authority

Chris Riotta (@chrisriotta) •
November 28, 2023    

Iranian Hacking Group Attacks Pennsylvania Water Authority
Iranian threat actors launched a cyberattack against the Municipal Water Authority of Aliquippa. (Image: MWAA)

The U.S. Cybersecurity and Infrastructure Security Agency is investigating a cyberattack from an Iranian hacking group known as “Cyber Av3ngers” that targeted a small municipal water authority in Pennsylvania over its use of Israeli-owned software, according to officials.

See Also: Live Webinar | Generative AI: Myths, Realities and Practical Use Cases

The Municipal Water Authority of Aliquippa confirmed it had been the subject of a breach Saturday that shut down a supply pump providing drinking water to multiple municipalities, including a town in the Pittsburgh metropolitan area with nearly 3,000 residents, according to U.S. Census data.


The water authority uses pressure-monitoring equipment developed by the Israeli technology company Unitronics. When the attack occurred, a small Unitronics device in the Pennsylvania facility flashed a bright red message that read: “You have been hacked. Down with Israel. Every equipment ‘made in Israel’ is Cyber Av3ngers legal target.”


The intrusion triggered alerts to the U.S. Department of Homeland Security and sent on-call municipal workers scrambling during the holiday weekend to shut down automated systems and conduct manual operations.


Robert Bible, a Pittsburgh-area water authority official, told media outlets that local water service was not disrupted and water quality remained unaffected from the incident.

The attack is one of a handful of known cyberattacks on American water systems. The Biden administration earlier this year attempted to use existing regulatory authorities to force water systems into evaluating their cybersecurity risk, but it backed off in the face of a court ruling staying the…

Source…

Hacking Capabilities of Iranian Dissidents Adds to Tehran’s Woes

/in


Just over a year ago, the Islamic Republic of Iran experienced one of its most serious cybersecurity breaches, resulting in the temporary inaccessibility of several government websites and the disruption of power grids, surveillance cameras, and other digital infrastructure. Contrary to what one might have expected, the attacks came not from any of Tehran’s foreign adversaries but rather from a group of anti-government hacktivists known collectively as Gyamsarnegouni, or “Uprising Until Overthrow.”

Cybersecurity researchers discerned the domestic origins of the hack mainly based upon the fact that the operation also saw the release of vast quantities of government documents detailing personnel and financial records, secret strategic communications by regime authorities The leak involved such a tremendous amount of data that it likely would have been impossible to access remotely from outside the Islamic Republic, partly because Iranian internet access is notably slow, with frequent outages, and partially because the systems targeted by the underlying hack were effectively cut off from the global internet.

Our research pointed out that that not only that individuals inside the Islamic Republic carried out the attacks but also that they almost certainly required the participation of figures inside the regime itself, who would have had direct access to the systems in question.

It would be difficult to overstate the damage these attacks have done to Iran’s ruling system by opposition hacktivists alongside finely-honed modern cyber espionage and digital sabotage tools. The damage should be evident from the scale and diversity of Iranian hacktivists’ achievements in recent years, especially in the immediate aftermath of the killing of Mahsa Amini by morality police in September 2022, which sparked an immediate, nationwide uprising that many have called the clerical regime’s greatest challenge in all of its 44 years.

An attack on the Islamic Republic of Iran Broadcasting penetrated highly secure networks, typically isolated from the internet, and allowed hackers to briefly broadcast opposition messaging on state media, including some of the uprising’s defining slogans, like…

Source…

Iranian APT Group OilRig Using New Menorah Malware for Covert Operations

/in


Sep 30, 2023THNCyber Espionage / Malware

Menorah Malware

Sophisticated cyber actors backed by Iran known as OilRig have been linked to a spear-phishing campaign that infects victims with a new strain of malware called Menorah.

“The malware was designed for cyberespionage, capable of identifying the machine, reading and uploading files from the machine, and downloading another file or malware,” Trend Micro researchers Mohamed Fahmy and Mahmoud Zohdy said in a Friday report.

The victimology of the attacks is not immediately known, although the use of decoys indicates at least one of the targets is an organization located in Saudi Arabia.

Cybersecurity

Also tracked under the names APT34, Cobalt Gypsy, Hazel Sandstorm, and Helix Kitten, OilRig is an Iranian advanced persistent threat (APT) group that specializes in covert intelligence gathering operations to infiltrate and maintain access within targeted networks.

The revelation builds on recent findings from NSFOCUS, which uncovered an OilRig phishing attack resulting in the deployment of a new variant of SideTwist malware, indicating that it’s under continuous development.

In the latest infection chain documented by Trend Micro, the lure document is used to create a scheduled task for persistence and drop an executable (“Menorah.exe”) that, for its part, establishes contact with a remote server to await further instructions. The command-and-control server is currently inactive.

UPCOMING WEBINAR

Fight AI with AI — Battling Cyber Threats with Next-Gen AI Tools

Ready to tackle new AI-driven cybersecurity challenges? Join our insightful webinar with Zscaler to address the growing threat of generative AI in cybersecurity.

Supercharge Your Skills

The .NET malware, an improved version of the original C-based SideTwist implant discovered by Check Point in 2021, is armed with various features to fingerprint the targeted host, list directories and files, upload selected files from the compromised system, execute shell commands, and download files to the system.

“The group consistently develops and enhances tools, aiming to reduce security solutions and researchers’ detection,” the researchers said.

“Typical of APT groups, APT34 demonstrates their vast resources and…

Source…