google-site-verification: google30a059f9a075f398.html

Recent large scale attacks including Microsoft Office flaw exploited by suspected Iranian APT groups

CyberWisdom aggregated three articles with similar story that researchers report that the threat actor, assessed to be Iranian APT groups, APT34, and/or possibly APT33 is behind exploiting the memory corruption vulnerability CVE-2017-11882. The hacker deploys the PowerShell-based backdoor POWRUNER as well as BONDUPDATED, a downloader with domain generation algorithm (DGA) functionality. Furthermore, APT34 leveraged the recent Microsoft Office vulnerability CVE-2017-11882, which affects several versions of Microsoft Office and, when exploited, allows a remote user to run arbitrary code in the context of the current user as a result of improperly handling objects in memory. It was patched by Microsoft on Nov. 14. “The vulnerability exists in the old Equation Editor (EQNEDT32.EXE), a component of Microsoft Office that is used to insert and evaluate mathematical formulas,” FireEye explained.

Since at last July 2017, these two malwares have been used in previous campaigns attributed to APT34, which FireEye says “loosely aligns” with reports of a group commonly referred to in cybersecurity circles as OilRig.

Researchers: Microsoft Office flaw exploited by suspected Iranian APT groups believe a suspected Iranian APT group is responsible for a recent cyber espionage operation that targeted a Middle Eastern government organization, using a recently patched remote code execution vulnerability in Microsoft Office as an attack vector…. Researchers: Microsoft Office flaw exploited by suspected Iranian APT group


“We believe APT34 is involved in a long-term cyber-espionage operation largely focused on reconnaissance efforts to benefit Iranian nation-state interests, and has been operational since at least 2014,” FireEye said in an analysis. “This threat group has conducted broad targeting across a variety of industries, including financial, government, energy, chemical, and telecommunications, and has largely focused its operations within the Middle East. We assess that APT34 works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.”

APT34 uses a mix of public and non-public tools, often conducting spear phishing operations using compromised accounts, sometimes coupled with social engineering tactics.

Iranian State-Sponsored APT 34 Launches Spy Campaign with Just-Patched Microsoft Vulns espionage campaign being carried out in the Middle East uses a vulnerability less than a week after Microsoft patched it…. Iranian State-Sponsored APT 34 Launches Spy Campaign with Just-Patched Microsoft Vulns

We learn from CyberScoop that these Iranian APT groups attacks are against individuals living in several countries, including Iran, the U.S., Israel, the U.K., the United Arab Emirates and India. Commonly known as “Charming Kitten” and “Rocket Kitten,” the Iranian groups targeted individuals involved with academia, human rights or media, the company said.

“The new report is mostly focused on the actions of a well-documented Iranian group, Charming Kitten, but there’s others we see very active right now as well, including Copy Kitten, OilRig, Greenbug, and Magichound, ” Sela said, calling each group by names familiar to the security research community. Read the article below for the connection.

In addition, ClearSky, an Israeli cybersecurity firm, recently reported that Charming Kitty, an Iran-backed group was using cyber-attacks to find out information about Iranian dissidents.

Another U.S. cybersecurity firm Area 1 Security, reported that it too has “observed a considerable increase in Iranian targeting operations,” according to one of its founders, Blake Darché.

The increase in the number and sophistication of Iranian hacking attacks, according to Darché, reflects the government’s role in encouraging these attacks. “Iran spends considerable time in the early kill chain, gathering valuable targeting information against their potential victims for their phishing campaigns,” Darché said.

But because the hackers are good at hiding their identities, it is difficult to assess the full scope of the Iranian hacking threat by Iranian APT groups.

“In 2017, Iran really started acting at scale, and I think to myself, ‘Just how big is that scale?’ We don’t know if we are seeing five percent of Iran’s activities, or 90 percent – although I’m guessing it’s closer to five percent,” Mandia, FireEye’s CEO wrote in the company’s report.

This country’s hacking efforts have become too big to ignore hackers linked to China, North Korea and Russia earned headlines over the past year, similar groups in Iran have been drawing far less attention…. This country’s hacking efforts have become too big to ignore

Cybersecurity Expert: Iranian Hacking is a “Coordinated, Probably Military, Endeavor” Staff | 12.08.17 2:28 pm On the heels of a report this week documenting Iran’s increasingly aggressive hacking attacks around the globe, a cybersecurity expert assessed that the advanced nature of the attacks suggests a “coordinated, probably military, endeavor,” CyberScoop an online industry news site reported Thursday. A report released this week, by FireEye, a cybersecurity firm, noticed increased and increasingly advanced cyber-espionage efforts by groups that have been tied to Iran, and to the nation’s Islamic Revolutionary Guard Corps (IRGC). Groups, believed to be Iranian, have utilized “spearphishing emails, strategic web compromises and breached social media accounts distributing malware,” in order to steal commercial secrets and intercept personal communications. In the report, FireEye CEO Kevin Mandia wrote that it no longer seemed to be that Russia and China were the source of most hacking attempts, but “that the majority of the actors we’re responding to right now are hosted in Iran, and they are state-sponsored.” “We saw some noticeable advances in their techniques and tools, like coding changes made to Shamoon [destructive malware],” Adam Meyers, vice president of intelligence for CrowdStrike. “And that showed I think that what was… Cybersecurity Expert: Iranian Hacking is a “Coordinated, Probably Military, Endeavor”


If like like to receive these curated news alerts then subscribe to my mailing list.