New Iranian Ransomware Groups Detected

Uploaded on 2020-09-23 in TECHNOLOGY--Hackers, GOVERNMENT-National, FREE TO VIEW

Iranian hackers using ransomware and are targeting companies in Russia, India, China, and Japan and two new groups have recently been identified. One highly professional, the other less so. 

One new group is deploying Dharma ransomware and based upon on forensic analysis, this is a non-sophisticated, financially-motivated gang that is new to cyber crime and they are going after easy hits, using publicly available tools in their activity.

The second  group are elite hackers associated with the Iranian government has been detected attacking the US private and government sector, according to a security alert sent by the FBI. 

While the alert, called a Private Industry Notification, didn't identify the hackers by name, sources say that the group is tracked by the larger cyber-security community under code names such as Fox Kitten or Pari site. Fox Kitten primarily operates by attacking high-end and expensive network equipment using exploits for recently disclosed vulnerabilities, before companies had enough time to patch devices.

Due to the nature of the devices they attack, targets primarily include large private corporations and government networks. Once the hackers gain access to a device, they install a web shell or backdoor, transforming the equipment into a gateway into the hacked network.

Amateur Hackers at Work

These threat hackers is not as greedy as they might be and their demand is typically between 1-5 Bitcoin (currently $11,700 - $59,000), which is on the lower range of ransom demand compared to other ransomware operations. They find victims by scanning IP address ranges on the internet for exposed Remote Desktop Connections (DP); their tool of choice for this stage is Massana, an open-source port scanner. Next, they launch a brute-force with Librate, a utility that tries a list of DP passwords in an attempt to find a combo that works. Once in, they sometimes try to elevate privileges by exploiting an old vulnerability in Windows 7 through 10.

Researchers at cyber security company Group-IB learned about this new group in June during an incident response engagement at a company in Russia. Based on forensic artifacts, they determined the attacker to be “Persian-speaking newbie hackers.”

Supporting this conclusion are clues from the next steps of the attack, which seem to lack the confidence of an actor that knows what to do once after breaching a network.

Further evidence that the operation is the work of a script kiddie from Iran comes from search queries in Persian to find other tools necessary for the attack and from the Persian-language Telegram channels providing them. The number of victims compromised by this threat actor remains unknown, just like the path that led the threat actor to Dharma ransomware-as-a-service (RAAS) operation.

An OPEC error by an Iranian threat actor has laid bare the inner workings of the hacking group by providing a rare insight into the "behind-the-scenes look into their methods."

IBM's X-Force Incident Response Intelligence Services (IRIS) got hold of nearly five hours-worth of video recordings of the state-sponsored group it calls IPTG which is also called Charming Kitten,  that it uses to train its operators. Some of the victims in the videos included personal accounts of US and Greek Navy personnel, in addition to unsuccessful phishing attempts directed against US state department officials and an unnamed Iranian-American philanthropist.

Researchers said part of this change may be attributed to the pandemic exposing a number of vulnerable hosts, with many employees working remotely, making an extremely popular attack vector for cyber criminals.  

US Dept. Of Justice:     MalwareBytes:     Threatpost:       Hacker News:     

 Oodaloop:     ZDNet:      Bleeping  Computer:   
 

You Might Also Read:

The New Generation Of Cyber Security Threats:


 

« The Dark Side Of The Web
Government, Cyber Attacks, Terrorism & Piracy »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Infinigate UK

Infinigate UK

Infinigate is a value-added distributor of IT security solutions to protect and defend IT networks, servers, devices, data, applications, as well as the cloud.

CERT Polska

CERT Polska

CERT Polska is the first Polish computer emergency response team and operates within the structures of NASK (Research and Academic Computer Network) research institute.

ISO Quality Services Ltd

ISO Quality Services Ltd

ISO Quality Services is an independent organisation that specialises in the implementation, certification and continued auditing of ISO and BS EN Management Standards including ISO 27001..

Cyber Data-Risk Managers

Cyber Data-Risk Managers

Cyber Data-Risk Managers Pty Ltd is an insurance broker based in Melbourne, Australia specializing in Cyber insurance / Data breach insurance.

Referentia

Referentia

Referentia leads the development of critical infrastructure solutions that benefit society, including cyber security and network performance management.

International Federation of Robotics (IFR)

International Federation of Robotics (IFR)

The International Federation of Robotics connects the world of robotics around the globe. Our members come from the robotics industry, industry associations and research & development institutes.

Maritime Cyber Alliance

Maritime Cyber Alliance

Maritime Cyber Alliance was established in 2017 by Airbus , CSOAlliance , MCSA & Wididi to provide a medium for both public Cyber Safety advice and for businesses to discuss Cyber concerns.

Randori

Randori

Randori is an attack platform that provides "red-teaming" as a service — basically, staging simulated hack attacks to test for vulnerabilities and gaps in the security response.

Activu

Activu

Activu makes any information visible, collaborative, and proactive for people tasked with monitoring critical operations including network security.

Wickr

Wickr

Wickr's mission is to secure the world's most critical communications. Wickr provides the highest standard of encryption trusted by millions worldwide.

CyberArmor

CyberArmor

Cyber Armor defend everyday IT and OT systems, from government agencies to critical infrastructure, from system integrators to small industries.

Cyber Defense Technologies (CDT)

Cyber Defense Technologies (CDT)

Cyber Defense Technologies provides services and turn-key solutions to secure and maintain the integrity of your organization’s systems and data against attacks.

European Cybersecurity Competence Centre (ECCC)

European Cybersecurity Competence Centre (ECCC)

The ECCC aims to increase Europe’s cybersecurity capacities and competitiveness, working together with a Network of National Coordination Centres to build a strong cybersecurity Community.

Avocado Consulting

Avocado Consulting

Avocado helps clients deliver with certainty on their complex IT change, with technology services that automate, monitor and optimise.

All About Cookies

All About Cookies

All About Cookies is an informational website that provides tips, advice, and recommendations to help you with Online Privacy, Identity Theft Prevention, Antivirus Protection, and Digital Security.

Closed Door Security

Closed Door Security

Closed Door Security is the only cybersecurity team in the north of Scotland offering everything from IASME Certification to CREST-Accredited penetration testing.