Security News

Hackers tied to the Iranian government have been targeting individuals specializing in Middle Eastern affairs, nuclear security and genome research as part of a new social engineering campaign designed to hunt for sensitive information. Enterprise security firm attributed the targeted attacks to a threat actor named TA453, which broadly overlaps with cyber activities monitored under the monikers APT42, Charming Kitten, and Phosphorus.

A state-sponsored advanced persistent threat actor newly christened APT42 has been attributed to over 30 confirmed espionage attacks against individuals and organizations of strategic interest to the Iranian government at least since 2015. APT42 has exhibited a propensity to strike various industries such as non-profits, education, governments, healthcare, legal, manufacturing, media, and pharmaceuticals spanning at least 14 countries, including in Australia, Europe, the Middle East, and the U.S. Intrusions aimed at the pharmaceutical sector are also notable for the fact that they commenced at the onset of the COVID-19 pandemic in March 2020, indicating the threat actor's ability to swiftly modify its campaigns in order to meet its operational priorities.

Microsoft says an Iranian state-sponsored threat group it tracks as DEV-0270 has been abusing the BitLocker Windows feature in attacks to encrypt victims' systems. This aligns with Microsoft's findings that DEV-0270 uses BitLocker, a data protection feature that provides full volume encryption on devices running Windows 10, Windows 11, or Windows Server 2016 and above.

Microsoft's threat intelligence division on Wednesday assessed that a subgroup of the Iranian threat actor tracked as Phosphorus is conducting ransomware attacks as a "Form of moonlighting" for personal gain. "DEV-0270 leverages exploits for high-severity vulnerabilities to gain access to devices and is known for the early adoption of newly disclosed vulnerabilities," Microsoft said.

A new Iranian state-sponsored hacking group known as APT42 has been discovered using a custom Android malware to spy on targets of interest. The cybersecurity firm has collected enough evidence to determine that APT42 is a state-sponsored threat actor who engages in cyberespionage against individuals and organizations of particular interest to the Iranian government.

Mandiant has named a new threat group, APT42, that it says functions as the cyberspy arm of Iran's Islamic Revolutionary Guard Corps, which has plotted to murder US citizens including former National Security Advisor John Bolton. While its financial backers turn their attention to assasination attempts and other terrorist activities, APT42 favors selective spear-phishing to target corporate and personal email accounts, according to the Google-owned threat intel business.

Iranian state-sponsored actors are leaving no stone unturned to exploit unpatched systems running Log4j to target Israeli entities, indicating the vulnerability's long tail for remediation. The attacks are notable for using SysAid Server instances unsecured against the Log4Shell flaw as a vector for initial access, marking a departure from the actors' pattern of leveraging VMware applications for breaching target environments.

Hackers continue to exploit the Log4j vulnerability in vulnerable applications, as shown by the Iranian 'MuddyWater' threat actor who was found targeting Israeli organizations using the SysAid software. The latest MuddyWater hacking campaign outlined in a Microsoft report yesterday constitutes the first example of leveraging vulnerable SysAid applications to breach corporate networks.

Google's Threat Analysis Group recently discovered a new tool named Hyperscrape which is able to steal data from mailboxes such as Gmail, Yahoo! or Microsoft Outlook. Hyperscrape is a tool written for Windows systems in.

The Iranian government-backed actor known as Charming Kitten has added a new tool to its malware arsenal that allows it to retrieve user data from Gmail, Yahoo!, and Microsoft Outlook accounts. Dubbed HYPERSCRAPE by Google Threat Analysis Group, the actively in-development malicious software is said to have been used against less than two dozen accounts in Iran, with the oldest known sample dating back to 2020.