CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
Low
EPSS
Percentile
100.0%
An Iranian threat actor affiliated with the Ministry of Intelligence and Security (MOIS) has been attributed as behind destructive wiping attacks targeting Albania and Israel under the personas Homeland Justice and Karma, respectively.
Cybersecurity firm Check Point is tracking the activity under the moniker Void Manticore, which is also referred to as Storm-0842 (formerly DEV-0842) by Microsoft.
βThere are clear overlaps between the targets of Void Manticore and Scarred Manticore, with indications of systematic hand off of targets between those two groups when deciding to conduct destructive activities against existing victims of Scarred Manticore,β the company said in a report published today.
The threat actor is known for its disruptive cyber attacks against Albania since July 2022 under the name Homeland Justice that involve the use of bespoke wiper malware called Cl Wiper and No-Justice (aka LowEraser).
Similar wiper malware attacks have also targeted Windows and Linux systems in Israel following the Israel-Hamas war after October 2023 using another customer wiper codenamed BiBi. The pro-Hamas hacktivist group goes by the name Karma.
Attack chains orchestrated by the group are βstraightforward and simple,β typically leveraging publicly available tools and making use of Remote Desktop Protocol (RDP), Server Message Block (SMB), and File Transfer Protocol (FTP) for lateral movement prior to malware deployment.
Initial access in some cases is accomplished by the exploitation of known security flaws in internet-facing applications (e.g., CVE-2019-0604), according to an advisory released by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in September 2022.
A successful foothold is followed by the deployment of web shells, including a homebrewed one called Karma Shell that masquerades as an error page but is capable of enumerating directories, creating processes, uploading files, and starting/stopping/listing services.
Void Manticore is suspected of using access previously obtained by Scarred Manticore (aka Storm-0861) to carry out its own intrusions, underscoring a βhandoffβ procedure between the two threat actors.
This high degree of cooperation was previously also highlighted by Microsoft in its own investigation into attacks targeting Albanian governments in 2022, noting that multiple Iranian actors participated in it and that they were responsible for distinct phases -
Itβs also worth pointing out that Storm-0861 is assessed to be a subordinate element within APT34 (aka Cobalt Gypsy, Hazel Sandstorm, Helix Kitten, and OilRig), an Iranian nation-state group known for the Shamoon and ZeroCleare wiper malware.
βThe overlaps in techniques employed in attacks against Israel and Albania, including the coordination between the two different actors, suggest this process has become routine,β Check Point said.
βVoid Manticoreβs operations are characterized by their dual approach, combining psychological warfare with actual data destruction. This is achieved through their use of wiping attacks and by publicly leaking information, thereby amplifying the destruction on the targeted organizations.β
Found this article interesting? Follow us on Twitter ο and LinkedIn to read more exclusive content we post.
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
Low
EPSS
Percentile
100.0%