Lucene search

K
thnThe Hacker NewsTHN:C6EF9578349AB5BC1F0DEB76984A9A8D
HistoryMay 20, 2024 - 4:05 p.m.

Iranian MOIS-Linked Hackers Behind Destructive Attacks on Albania and Israel

2024-05-2016:05:00
The Hacker News
thehackernews.com
14
iranian
mois
hackers
destructive attacks
albania
israel
void manticore
wiper malware
security flaws
cybersecurity
scarred manticore
storm-0842
storm-0861
ransomware.

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

7.2

Confidence

Low

EPSS

0.974

Percentile

100.0%

Wiper Malware

An Iranian threat actor affiliated with the Ministry of Intelligence and Security (MOIS) has been attributed as behind destructive wiping attacks targeting Albania and Israel under the personas Homeland Justice and Karma, respectively.

Cybersecurity firm Check Point is tracking the activity under the moniker Void Manticore, which is also referred to as Storm-0842 (formerly DEV-0842) by Microsoft.

β€œThere are clear overlaps between the targets of Void Manticore and Scarred Manticore, with indications of systematic hand off of targets between those two groups when deciding to conduct destructive activities against existing victims of Scarred Manticore,” the company said in a report published today.

The threat actor is known for its disruptive cyber attacks against Albania since July 2022 under the name Homeland Justice that involve the use of bespoke wiper malware called Cl Wiper and No-Justice (aka LowEraser).

Similar wiper malware attacks have also targeted Windows and Linux systems in Israel following the Israel-Hamas war after October 2023 using another customer wiper codenamed BiBi. The pro-Hamas hacktivist group goes by the name Karma.

Cybersecurity

Attack chains orchestrated by the group are β€œstraightforward and simple,” typically leveraging publicly available tools and making use of Remote Desktop Protocol (RDP), Server Message Block (SMB), and File Transfer Protocol (FTP) for lateral movement prior to malware deployment.

Initial access in some cases is accomplished by the exploitation of known security flaws in internet-facing applications (e.g., CVE-2019-0604), according to an advisory released by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in September 2022.

A successful foothold is followed by the deployment of web shells, including a homebrewed one called Karma Shell that masquerades as an error page but is capable of enumerating directories, creating processes, uploading files, and starting/stopping/listing services.

Void Manticore is suspected of using access previously obtained by Scarred Manticore (aka Storm-0861) to carry out its own intrusions, underscoring a β€œhandoff” procedure between the two threat actors.

This high degree of cooperation was previously also highlighted by Microsoft in its own investigation into attacks targeting Albanian governments in 2022, noting that multiple Iranian actors participated in it and that they were responsible for distinct phases -

  • Storm-0861 gained initial access and exfiltrated data
  • Storm-0842 deployed the ransomware and wiper malware
  • Storm-0166 exfiltrated data
  • Storm-0133 probed victim infrastructure

It’s also worth pointing out that Storm-0861 is assessed to be a subordinate element within APT34 (aka Cobalt Gypsy, Hazel Sandstorm, Helix Kitten, and OilRig), an Iranian nation-state group known for the Shamoon and ZeroCleare wiper malware.

β€œThe overlaps in techniques employed in attacks against Israel and Albania, including the coordination between the two different actors, suggest this process has become routine,” Check Point said.

β€œVoid Manticore’s operations are characterized by their dual approach, combining psychological warfare with actual data destruction. This is achieved through their use of wiping attacks and by publicly leaking information, thereby amplifying the destruction on the targeted organizations.”

Found this article interesting? Follow us on Twitter ο‚™ and LinkedIn to read more exclusive content we post.

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

7.2

Confidence

Low

EPSS

0.974

Percentile

100.0%