Security News

A state-sponsored threat actor allegedly affiliated with Iran has been linked to a series of targeted attacks aimed at internet service providers and telecommunication operators in Israel, Morocco, Tunisia, and Saudi Arabia, as well as a ministry of foreign affairs in Africa, new findings reveal. The intrusions, staged by a group tracked as Lyceum, are believed to have occurred between July and October 2021, researchers from Accenture Cyber Threat Intelligence group and Prevailion's Adversarial Counterintelligence Team said in a technical report.

A cyber attack in Iran left petrol stations across the country crippled, disrupting fuel sales and defacing electronic billboards to display messages challenging the regime's ability to distribute gasoline. Other signs read, "Free gas in Jamaran gas station," with gas pumps showing the words "Cyberattack 64411" when attempting to purchase fuel, semi-official Iranian Students' News Agency news agency reported.

An emerging threat actor likely supporting Iranian national interests has been behind a password spraying campaign targeting U.S., E.U., and Israeli defense technology companies, with additional activity observed against regional ports of entry in the Persian Gulf as well as maritime and cargo transportation companies focused in the Middle East. Microsoft is tracking the hacking crew under the moniker DEV-0343.

Iran-linked threat actors are targeting the Office 365 tenants of US and Israeli defense technology companies in extensive password spraying attacks. The activity cluster was temporarily dubbed DEV-0343 by researchers at Microsoft Threat Intelligence Center and Microsoft Digital Security Unit, who have tracked it since late July.

Security vendor FireEye says it has spotted a Chinese espionage group that successfully compromised targets within Israel, and that trying to make its efforts look like the work of Iranian actors is part of the group's modus operandi. A FireEye blog post states the Chinese activity has been ongoing since 2019, when a group it names "UNC215" used the Microsoft SharePoint vulnerability CVE-2019-0604 "To install web shells and FOCUSFJORD payloads at targets in the Middle East and Central Asia".

The Iran-linked hacking group named Charming Kitten has added a new Android backdoor to its arsenal and successfully compromised individuals associated with the Iranian reformist movement, according to security researchers with IBM's X-Force threat intelligence team. Last year, the group accidentally exposed approximately 40 GB of videos and other content associated with its operations, including training videos on how to exfiltrate data from online accounts, and clips detailing the successful compromise of certain targets.

Classified files apparently leaked from a cyber unit of the Iranian government show that Iran is looking to improve its offensive cyber capabilities, including for targeting industrial control systems. British news outlet Sky News managed to obtain five internal reports - all marked "Very confidential" - that seem to originate from the Islamic Revolutionary Guard Corps' Shahid Kaveh, a secret offensive cyber unit.

Western cybersecurity agencies have published a list of 30 of the most exploited vulnerabilities abused by hostile foreign states in 2020, urging infosec bods to ensure their networks and deployments are fully patched against them. Number one on the US, UK, and Australia's jointly published [PDF] list was the well-known Citrix arbitrary code execution vuln in Application Delivery Controller, aka Netscaler load-balancer.

The U.S. government on Tuesday attributed several past attacks involving industrial control systems to Russian, Chinese and Iranian state-sponsored threat actors. "CISA and the FBI assess that these actors were specifically targeting U.S. pipeline infrastructure for the purpose of holding U.S. pipeline infrastructure at risk. Additionally, CISA and the FBI assess that this activity was ultimately intended to help China develop cyberattack capabilities against U.S. pipelines to physically damage pipelines or disrupt pipeline operations," the agencies said.

The Department of Justice has seized the domains of 36 Iranian media sites that officials say weren't just operating in violation of sanctions, but were part of a widespread government-backed malign-influence operation targeting the U.S. The DoJ said that 33 of the sites are run by the Iranian Islamic Radio and Television Union, which is allegedly under the control of the sanctioned Islamic Revolutionary Guard Quds Force. Three additional sites taken down were allegedly controlled by Kata'ib Hizballah, which has been designated an Iraqi terrorist group by the U.S. government.