Security News

Dubbed "Earth Vetala" by Trend Micro, the latest finding expands on previous research published by Anomali last month, which found evidence of malicious activity aimed at UAE and Kuwait government agencies by exploiting ScreenConnect remote management tool. The cybersecurity firm linked the ongoing attacks with moderate confidence to a threat actor widely tracked as MuddyWater, an Iranian hacker group known for its offensives primarily against Middle Eastern nations.

UAE and Kuwait government agencies are targets of a new cyberespionage campaign potentially carried out by Iranian threat actors, according to new research. Attributing the operation to be the work of Static Kitten, Anomali said the "Objective of this activity is to install a remote management tool called ScreenConnect with unique launch parameters that have custom properties," with malware samples and URLs masquerading as the Ministry of Foreign Affairs of Kuwait and the UAE National Council.

Following a two-year downtime, an Iran-linked cyberespionage operation has recommenced with new second-stage malware and with an updated variant of the Infy malware, according to joint research conducted by cybersecurity firms SafeBreach and Check Point. Evidence suggests the operation started as early as 2007 - it was one of the earliest Iranian campaigns discovered - but it was initially detailed in 2016, while the next year it also involved the use of a piece of malware called Foudre, which by 2018 had already been updated eight times.

More than 1,200 Iranian citizens have been targeted in extensive cyber-surveillance operations backed by the Iranian government, researchers with cybersecurity firm Check Point report. The attacks, which Check Point refers to collectively as Domestic Kitten, have been ongoing for roughly four years, orchestrated by a threat actor tracked as APT-C-50, which executes the campaigns on behalf of the Iranian government.

An Iran-based software company is likely behind a recently identified crypto-jacking campaign targeting SQL servers, according to a report by British anti-malware vendor Sophos. The attacks result in the MrbMiner crypto-miner being installed onto the target servers, with the software apparently created, controlled, and hosted by a named Iranian company.

Now, researchers with Sophos have tracked the origin of the campaign to what they claim is a small software development company based in Iran. "The name of an Iran-based software company was hardcoded into the miner's main configuration file," said researchers with Sophos in a Thursday analysis.

A relatively new crypto-mining malware that surfaced last year and infected thousands of Microsoft SQL Server databases has now been linked to a small software development company based in Iran. First documented by Chinese tech giant Tencent last September, MrbMiner was found to target internet-facing MSSQL servers with the goal of installing a cryptominer, which hijacks the processing power of the systems to mine Monero and funnel them into accounts controlled by the attackers.

Attacks conducted by Iranian hackers against Israeli companies involved the deployment of ransomware and theft of information, threat intelligence company ClearSky reported last week. A new series of attacks targeting industrial, insurance and logistics companies in Israel appears to be the work of Fox Kitten, ClearSky noted in a new report.

Iranian-backed hacking group Fox Kitten has been linked to the Pay2Key ransomware operation that has recently started targeting organizations from Israel and Brazil. "We estimate with medium to high confidence that Pay2Key is a new operation conducted by Fox Kitten, an Iranian APT group that began a new wave of attacks in November-December 2020 that entailed dozens of Israeli companies," threat intelligence firm ClearSky says.

A team of researchers today unveiled previously undisclosed capabilities of an Android spyware implant-developed by a sanctioned Iranian threat actor-that could let attackers spy on private chats from popular instant messaging apps, force Wi-Fi connections, and auto-answer calls from specific numbers for purposes of eavesdropping on conversations. In September, the US Department of the Treasury imposed sanctions on APT39 - an Iranian threat actor backed by the country's Ministry of Intelligence and Security - for carrying out malware campaigns targeting Iranian dissidents, journalists, and international companies in the telecom and travel sectors.