A group with links to Iran targeted transportation, logistics, and technology sectors in the Middle East, including Israel, in October 2023 amid a surge in Iranian cyber activity since the onset of the Israel-Hamas war.
The attacks have been attributed by CrowdStrike to a threat actor it tracks under the name Imperial Kitten, and which is also known as Crimson Sandstorm (previously Curium), TA456, Tortoiseshell, and Yellow Liderc.
The latest findings from the company build on prior reports from Mandiant, ClearSky, and PwC, the latter of which also detailed instances of strategic web compromises (aka watering hole attacks) leading to the deployment of IMAPLoader on infected systems.
“The adversary, active since at least 2017, likely fulfills Iranian strategic intelligence requirements associated with IRGC operations,” CrowdStrike said in a technical report. “Its activity is characterized by its use of social engineering, particularly job recruitment-themed content, to deliver custom .NET-based implants.”
Attack chains leverage compromised websites, primarily those related to Israel, to profile visitors using bespoke JavaScript and exfiltrate the information to attacker-controlled domains.
Besides watering hole attacks, there’s evidence to suggest that Imperial Kitten resorts to exploitation of one-day exploits, stolen credentials, phishing, and even targeting upstream IT service providers for initial access.
Phishing campaigns involve the use of macro-laced Microsoft Excel documents to activate the infection chain and drop a Python-based reverse shell that connects to a hard-coded IP address for receiving further commands.
Among some of the notable post-exploitation activities entail achieving lateral movement through the use of PAExec, the open-source variant of PsExec, and NetScan, followed by the delivery of the implants IMAPLoader and StandardKeyboard.
Also deployed is a remote access trojan (RAT) that uses Discord for command-and-control, while both IMAPLoader and StandardKeyboard employ email messages (i.e., attachments and email body) to receive tasking and send results of the execution.
“StandardKeyboard’s main purpose is to execute Base64-encoded commands received in the email body,” the cybersecurity company pointed out. “Unlike IMAPLoader, this malware persists on the infected machine as a Windows Service named Keyboard Service.”
The development comes as Microsoft noted that malicious cyber activity attributed to Iranian groups after the start of the war on October 7, 2023, is more reactive and opportunistic.
“Iranian operators [are] continuing to employ their tried-and-true tactics, notably exaggerating the success of their computer network attacks and amplifying those claims and activities via a well-integrated deployment of information operations,” Microsoft said.
“This is essentially creating online propaganda seeking to inflate the notoriety and impact of opportunistic attacks, in an effort to increase their effects.”
The disclosure also follows revelations that a Hamas-affiliated threat actor named Arid Viper has targeted Arabic speakers with an Android spyware known as SpyC23 through weaponized apps masquerading as Skipped and Telegram, according to Cisco Talos and SentinelOne.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Cybersecurity researchers have discovered a stealthy backdoor named Effluence that’s deployed following the successful exploitation of a recently disclosed security flaw in Atlassian Confluence Data Center and Server.
“The malware acts as a persistent backdoor and is not remediated by applying patches to Confluence,” Aon’s Stroz Friedberg Incident Response Services said in an analysis published earlier this week.
“The backdoor provides capability for lateral movement to other network resources in addition to exfiltration of data from Confluence. Importantly, attackers can access the backdoor remotely without authenticating to Confluence.”
The attack chain documented by the cybersecurity entity entailed the exploitation of CVE-2023-22515 (CVSS score: 10.0), a critical bug in Atlassian that could be abused to create unauthorized Confluence administrator accounts and access Confluence servers.
Atlassian has since disclosed a second flaw known as CVE-2023-22518 (CVSS score: 10.0) that an attacker can also take advantage of to set up a rogue administrator account, resulting in a complete loss of confidentiality, integrity, and availability.
What makes the latest attack stand out is that the adversary gained initial access via CVE-2023-22515 and embedded a novel web shell that grants persistent remote access to every web page on the server, including the unauthenticated login page, without the need for a valid user account.
The web shell, made up of a loader and payload, is passive, allowing requests to pass through it unnoticed until a request matching a specific parameter is provided, at which point it triggers its malicious behavior by executing a series of actions.
This comprises creating a new admin account, purging logs to cover up the forensic trail, running arbitrary commands on the underlying server, enumerating, reading, and deleting files, and compiling extensive information about the Atlassian environment.
The loader component, per Aon, acts as a normal Confluence plugin and is responsible for decrypting and launching the payload.
“Several of the web shell functions depend on Confluence-specific APIs,” security researcher Zachary Reichert said.
“However, the plugin and the loader mechanism appear to depend only on common Atlassian APIs and are potentially applicable to JIRA, Bitbucket, or other Atlassian products where an attacker can install the plugin.”
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
There is a seemingly never-ending quest to find the right security tools that offer the right capabilities for your organization.
SOC teams tend to spend about a third of their day on events that don’t pose any threat to their organization, and this has accelerated the adoption of automated solutions to take the place of (or augment) inefficient and cumbersome SIEMs.
With an estimated 80% of these threats being common across most organizations, today’s SOCs are able to confidently rely on automation to cover this large percentage of threat signals.
But, while it is true that automation can greatly improve the efficiency and effectiveness of security teams, it will never be able to cover all detection and response use cases infallibly.
As more vendors attempt to challenge the dominant players in the SIEM category, demand is increasing for solutions that offer automation, which can cover 80%, while also offering customization capabilities to cover bespoke use cases – the remaining 20%.
Automation can free up valuable time for security teams, so they can spend the majority of their time on use cases unique to their organization.
THE 80%: AUTOMATION
With the continual surge in global data creation, organizations are inevitably seeing an uptick in the number of alerts managed by security teams.
This may seem daunting for overworked security teams, but advanced vendor offerings are implementing automation across various stages of the SOC workflow, helping teams enhance their speed and effectiveness.
The four key phases where we are seeing automation are:
Data Ingestion and Normalization: Automating data ingestion and normalization enables teams to process vast amounts of data from diverse sources efficiently, establishing a robust foundation for subsequent automated processes.
Detection: Transferring the responsibility of creating a significant portion of detection rules allows security analysts to concentrate on threats unique to their organization or market segment.
Investigation: Automation can alleviate the burden of manual and repetitive tasks, expediting investigation and triage processes.
Response: Automatic responses to known and discovered threats facilitate swift and accurate mitigation. This can include connectivity to case management, SOAR solutions, ITSM, etc.
Modern SIEM replacement vendors, such as Hunters, leverage pre-built detection rules, integrate threat intelligence feeds, and automatically enrich and cross-correlate leads. These automated processes alleviate large amounts of tedious workloads, empowering security teams to easily manage the large majority of alerts.
Automatic enrichment and cross-correlation create comprehensive stories, making tracking lateral movements much more efficient.
THE 20%: CUSTOMIZATION
Although automating the above phases of the workflow have been massive in boosting efficiencies for many SOCs, there will always remain the need for a certain degree of customization.
Each organization has bespoke needs and requirements depending on industry- or company-specific use cases. This means that even if automated and built-in capabilities can address 80% of the general use cases and tasks, additional capabilities are needed to cover the remaining 20%.
“Customization” can mean a lot of different things, but the main requirement for security teams is that they have both the flexibility to cover unique use cases and the ability to scale their capabilities. Let’s look at a few examples of use cases where this can be beneficial:
Ingesting custom data sources: each organization has multiple data sources they ingest with different log formats. Many vendors may not have pre-built integrations to ingest from every single data source, so if a vendor does offer that capability, it can be a huge lift. This is especially for organizations that are currently utilizing (or will soon be moving to) data lakes to maintain data for multiple purposes.
Detection-as-code: this has become a massive buzzword in the security industry, but with good reason. Detection-as-code offers a variety of advantages for detection engineers, like improved and efficient development lifecycle, and for large organizations to more effectively manage multi-tenancy environments. If you aren’t familiar with the concept, detection-as-code utilizes APIs and deployment pipelines to provide desired auditing capabilities, making the development lifecycle for security operations much closer to that of traditional software development. This approach improves processes to help teams develop higher-quality alerts or reuse code within your organization so you don’t have to build every new detector from scratch. It also helps push detection engineering left in the development lifecycle, removing the need to manually test and deploy detectors.
Scalable business context: Whether it be entities with specific sensitivity levels (like crown jewels), data from different business units or different geographies, or siloed data from different sources, it takes a lot of time and effort to piece together information in a way that’s understandable and actionable. Leveraging an SIEM alternative that gives you the ability to manage all this via API brings expanded efficiencies and scalability that not every vendor provides.
Conclusion
Building out an effective SOC has always been, and will continue to be, a nuanced effort.
There is no one-size-fits-all solution when it comes to security tools. It is important to offer ways for organizations to not just customize for their use cases, but it is vital that they are able to combine this “customization” with the already existing automated capabilities that vendors offer.
It has become a necessity to look for vendors that can offer both a hands-on approach to customizing tools, but to do so in a way to bolster the autonomous portions of their offerings.
SIEM replacement vendors like Hunters, which have been named leaders in GigaOm’s previously mentioned report on autonomous SOC, are known for their easy-to-use and pre-built capabilities. And, to ensure that they serve the needs of security teams, are continuing to add innovative customization features that allow organizations to tailor their security strategy to their unique requirements.
Covering the 80% is vital, but addressing the remaining 20% will set your security team above the rest.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
The notorious Russian hackers known as Sandworm targeted an electrical substation in Ukraine last year, causing a brief power outage in October 2022.
The findings come from Google’s Mandiant, which described the hack as a “multi-event cyber attack” leveraging a novel technique for impacting industrial control systems (ICS).
“The actor first used OT-level living-off-the-land (LotL) techniques to likely trip the victim’s substation circuit breakers, causing an unplanned power outage that coincided with mass missile strikes on critical infrastructure across Ukraine,” the company said.
“Sandworm later conducted a second disruptive event by deploying a new variant of CaddyWiper in the victim’s IT environment.”
The threat intelligence firm did not reveal the location of the targeted energy facility, the duration of the blackout, and the number of people who were impacted by the incident.
The exact initial vector used for the cyber-physical attack is presently unclear, and it’s believed that the threat actor’s use of LotL techniques decreased the time and resources required to pull it off.
The intrusion is thought to have happened around June 2022, with the Sandworm actors gaining access to the operational technology (OT) environment through a hypervisor that hosted a supervisory control and data acquisition (SCADA) management instance for the victim’s substation environment.
On October 10, 2022, an optical disc (ISO) image file was used to launch malware capable of switching off substations, resulting in an unscheduled power outage.
“Two days after the OT event, Sandworm deployed a new variant of CaddyWiper in the victim’s IT environment to cause further disruption and potentially to remove forensic artifacts,” Mandiant said.
CaddyWiper refers to a piece of data-wiping malware that first came to light in March 2022 in connection with the Russo-Ukrainian war.
“This attack represents an immediate threat to Ukrainian critical infrastructure environments leveraging the MicroSCADA supervisory control system,” the company said.
“Given Sandworm’s global threat activity and the worldwide deployment of MicroSCADA products, asset owners globally should take action to mitigate their tactics, techniques, and procedures against IT and OT systems.”
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Urdu-speaking readers of a regional news website that caters to the Gilgit-Baltistan region have likely emerged as a target of a watering hole attack designed to deliver a previously undocumented Android spyware dubbed Kamran.
The campaign, ESET has discovered, leverages Hunza News (urdu.hunzanews[.]net), which, when opened on a mobile device, prompts visitors of the Urdu version to install its Android app directly hosted on the website.
The app, however, incorporates malicious espionage capabilities, with the attack compromising at least 20 mobile devices to date. It has been available on the website since sometime between January 7, and March 21, 2023, around when massive protests were held in the region over land rights, taxation, and extensive power cuts.
The malware, activated upon package installation, requests for intrusive permissions, allowing it to harvest sensitive information from the devices.
This includes contacts, call logs, calendar events, location information, files, SMS messages, photos, list of installed apps, and device metadata. The collected data is subsequently uploaded to a command-and-control (C2) server hosted on Firebase.
Kamran lacks remote control capabilities and is also simplistic by design, carrying out its exfiltration activities only when the victim opens the app and lacking in provisions to keep track of the data that has already been transmitted.
This means that it repeatedly sends the same information, along with any new data meeting its search criteria, to the C2 server. Kamran has yet to be attributed to any known threat actor or group.
“As this malicious app has never been offered through the Google Play store and is downloaded from an unidentified source referred to as unknown by Google, to install this app, the user is requested to enable the option to install apps from unknown sources,” security researcher Lukáš Štefanko said.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
