New Iranian Ransomware Groups Detected

Uploaded on 2020-09-23 in TECHNOLOGY--Hackers, GOVERNMENT-National, FREE TO VIEW

Iranian hackers using ransomware and are targeting companies in Russia, India, China, and Japan and two new groups have recently been identified. One highly professional, the other less so. 

One new group is deploying Dharma ransomware and based upon on forensic analysis, this is a non-sophisticated, financially-motivated gang that is new to cyber crime and they are going after easy hits, using publicly available tools in their activity.

The second  group are elite hackers associated with the Iranian government has been detected attacking the US private and government sector, according to a security alert sent by the FBI. 

While the alert, called a Private Industry Notification, didn't identify the hackers by name, sources say that the group is tracked by the larger cyber-security community under code names such as Fox Kitten or Pari site. Fox Kitten primarily operates by attacking high-end and expensive network equipment using exploits for recently disclosed vulnerabilities, before companies had enough time to patch devices.

Due to the nature of the devices they attack, targets primarily include large private corporations and government networks. Once the hackers gain access to a device, they install a web shell or backdoor, transforming the equipment into a gateway into the hacked network.

Amateur Hackers at Work

These threat hackers is not as greedy as they might be and their demand is typically between 1-5 Bitcoin (currently $11,700 - $59,000), which is on the lower range of ransom demand compared to other ransomware operations. They find victims by scanning IP address ranges on the internet for exposed Remote Desktop Connections (DP); their tool of choice for this stage is Massana, an open-source port scanner. Next, they launch a brute-force with Librate, a utility that tries a list of DP passwords in an attempt to find a combo that works. Once in, they sometimes try to elevate privileges by exploiting an old vulnerability in Windows 7 through 10.

Researchers at cyber security company Group-IB learned about this new group in June during an incident response engagement at a company in Russia. Based on forensic artifacts, they determined the attacker to be “Persian-speaking newbie hackers.”

Supporting this conclusion are clues from the next steps of the attack, which seem to lack the confidence of an actor that knows what to do once after breaching a network.

Further evidence that the operation is the work of a script kiddie from Iran comes from search queries in Persian to find other tools necessary for the attack and from the Persian-language Telegram channels providing them. The number of victims compromised by this threat actor remains unknown, just like the path that led the threat actor to Dharma ransomware-as-a-service (RAAS) operation.

An OPEC error by an Iranian threat actor has laid bare the inner workings of the hacking group by providing a rare insight into the "behind-the-scenes look into their methods."

IBM's X-Force Incident Response Intelligence Services (IRIS) got hold of nearly five hours-worth of video recordings of the state-sponsored group it calls IPTG which is also called Charming Kitten,  that it uses to train its operators. Some of the victims in the videos included personal accounts of US and Greek Navy personnel, in addition to unsuccessful phishing attempts directed against US state department officials and an unnamed Iranian-American philanthropist.

Researchers said part of this change may be attributed to the pandemic exposing a number of vulnerable hosts, with many employees working remotely, making an extremely popular attack vector for cyber criminals.  

US Dept. Of Justice:     MalwareBytes:     Threatpost:       Hacker News:     

 Oodaloop:     ZDNet:      Bleeping  Computer:   
 

You Might Also Read:

The New Generation Of Cyber Security Threats:


 

« The Dark Side Of The Web
Government, Cyber Attacks, Terrorism & Piracy »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

BakerHostetler

BakerHostetler

BakerHostetler is one of the largest law firms in the USA We have five core practice groups including a specialty practice team in Privacy and Data Protection.

Jones Day

Jones Day

Jones Day is an international law firm based in the United States. Practice areas include Cybersecurity, Privacy & Data Protection.

Arista Networks

Arista Networks

Arista Networks is an industry leader in data-driven, client to cloud networking for large data center, campus and routing environments.

Verve Industrial

Verve Industrial

Verve specialize in providing software and services to help protect and secure critical industrial control systems.

ExpressVPN

ExpressVPN

ExpressVPN is a Virtual Private Network services provider offering secure encrypted access to the internet.

Cog Systems

Cog Systems

Cog Systems offer an embedded solution built on modularity, proactive security, trustworthiness, and adaptability to enable highly secure connected devices.

Indeed

Indeed

Indeed is a worldwide employment-related search engine for job listings covering job types in all industries, including cybersecurity.

Kleiner Perkins

Kleiner Perkins

For five decades, Kleiner Perkins has made history by partnering with some of the most ingenious and forward-thinking founders in technology and life sciences.

Evolution Equity Partners

Evolution Equity Partners

Evolution Equity Partners is an international venture capital investor partnering with exceptional entrepreneurs to develop market leading cyber-security and enterprise software companies.

AgileBlue (Agile1)

AgileBlue (Agile1)

AgileBlue (formerly Agile1) is a managed breach detection company with an Autonomous SOC-as-a-Service for 24×7 monitoring, detection and guided response.

BridgingMinds Network

BridgingMinds Network

BridgingMinds Network is an industry leading best practices and IT security training provider in Singapore.

Extreme Engineering Solutions (X-ES)

Extreme Engineering Solutions (X-ES)

Extreme Engineering Solutions is a leader in the design, manufacture, testing, and support of hardware and software solutions for the embedded computing market.

Nanitor

Nanitor

Nanitor is a powerful cybersecurity management platform focusing on hardening security fundamentals across your global IT infrastructure.

Xeol

Xeol

Software free of vulnerabilities, built and distributed by trusted entities. Our mission is to help customers secure their software from code to deploy.

iTRUSTXForce

iTRUSTXForce

iTRUSTXForce is a global provider of DigitalX (cybersecurity, privacy, and digital trust) services. We offer comprehensive services that focus on delivering outcomes for our clients.

Promptfoo

Promptfoo

Promptfoo helps developers and enterprises build secure, reliable AI applications.