Video: Cyberwar: Nation-state cyber attacks threaten every company
A newly-uncovered cyber espionage is combining known exploits with custom-built malware in a campaign that has targeted hundreds of organisations, particularly those in the government, finance, and energy sectors.
Discovered by researchers at Symantec, the is called Leafminer and has been operating out of Iran since at least early 2017.
The malware and custom used by Leafminer have been detected across 44 systems in the Middle East: 28 in Saudi Arabia, in Lebanon, in Israel, in Kuwait, and four in unknown -- but the investigation into the campaign found a list of 809 targets.
The attackers' activity suggests the goal of their campaign is to steal data, including emails, credentials, files, and information on database servers operated by compromised targets.
Leafminer uses three main techniques for compromising networks: watering hole attacks, vulnerabilities in network , and brute-force dictionary attacks which attempt to crack passwords. Researchers said that phishing emails might also be used, but evidence for this hasn't yet been seen.
Compromised targets included a Lebanese government site, a Saudi Arabian healthcare site, and an Azerbaijan university. Researchers note that the same technique was deployed by the DragonFly hacking group last year -- but rather than being a related group, Leafminer appears to mimicking the earlier attack.
also: Can Russian hackers be stopped? Here's why it might take 20 years [TechRepublic]
This isn't the only tactic which Leafminer has picked up of successful campaigns by criminal groups. Leafminer uses EternalBlue -- the leaked NSA vulnerability which powered the WannaCry ransomware -- to move targeted networks.
Another known technique is lifted in order to help exfiltrate data. Known as doppelgänging, the process was revealed late last year and circumvents security tools by using process hollowing to make the malicious processes look benign.
The use of all the above leads Symantec to state that Leafminer actively developers and of offensive techniques for ideas.
Imecab is to set up persistent to a target machine with a hard-coded password and is installed as a Windows service in order to ensure it remains available to the attacker.
Sorgu is used in a similar , providing remote access to the machine and is also installed as a service in the Windows system via a shell script.
But while the Leafminer group appears keen to from other successful espionage campaigns, one thing it has failed at is operational security: researchers uncovered a staging server used by the attackers to be publicly accessible, exposing the group's entire of tools, indicating inexperience by the attackers.
More: VPN services 2018: The ultimate guide to protecting your data on the internet (TechRepublic)
This public information also led to a list of over 800 potential targets in government, finance, and energy across the Middle East. The list is written in the Iranian Farsi language, leading researchers to conclude that the group is based in Iran, although there's currently no evidence of it being a state-backed campaign.
No matter who is behind the campaign, it's likely that the group will continue to develop offensive techniques -- and they could even widen the scope of malicious attacks.
"It's possible the group would keep adopting and both new publicly available hacking tools and techniques, as well as proof-of-concept exploits for new and old vulnerabilities," Armin Buescher, threat researcher at Symantec, told ZDNet.
"In terms of targeting, the attackers might continue going after targets in the Middle East, perhaps even expanding to countries outside of the region."
Campaign delivers fake versions of WhatsApp and Telegram to victims - and those behind it have tried to make it look like a Russian attack when it isn't.
Security company warns 'SilverTerrier' group poses a threat to businesses.
Frank Gaffney, founder and president of the Center for Security Policy, talks about securing the power grid from EMP, hacking, sabotage, and solar flares. He thinks transformers are the key element.
READ MORE ON CYBER CRIME
- Fourth-generation Android espionage campaign targets Middle East
- China-based espionage campaign targets satellite, defense companies [CNET]
- Chafer: Hacking group expands espionage operation with new attacks
- Beware of Russian attackers impersonating LoJack security software to hack computers [TechRepublic]
- Espionage malware snoops for passwords, mines bitcoin on the side