Security News

A group of Iranian hackers recently posted a video showing how they managed to access an industrial control system at a water facility in Israel. "This gave the attackers easy access to the system and the ability to modify any value in the system, allowing them, for example, to tamper with the water pressure, change the temperature and more. All the adversaries needed was a connection to the world-wide-web, and a web browser," OTORIO said in a blog post.

Ransomware negotiation firm Coveware has placed the DarkSide operation on an internal restricted list after the threat actors announced plans to host infrastructure in Iran. When the DarkSide ransomware operation encrypts a network, their affiliates steal unencrypted files, which they threaten to release if a ransom is not paid.

On US presidential election day, 3 November, the nation's Federal Bureau of Investigation acted to seize 27 domains it says Iran used to conduct disinformation campaigns. FBI Special Agent in Charge Craig D Fair said the domains were used by Iran's Islamic Revolutionary Guard Corps "In attempt to manipulate public opinion in other countries, including the United States."

The U.S. Cybersecurity and Infrastructure Security Agency and the Federal Bureau of Investigation have issued an alert to warn that an Iranian threat actor recently accessed voter registration data. In the previous alert, CISA and the FBI noted that the Iranian hackers targeted known vulnerabilities in virtual private network products and content management systems, including CVE-2020-5902 and CVE-2017-9248.

DHS CISA and the FBI today shared more info on how an Iranian state-sponsored hacking group was able to harvest voter registration info from U.S. state websites, including election sites. The attempts to download voter info from election websites took place between September 29 and October 17, 2020, according to the advisory.

The Iran-linked state-sponsored threat group known as Charming Kitten was observed targeting potential attendees of two major international conferences, Microsoft reports. Recently observed attacks, Microsoft says, targeted over 100 high-profile individuals, potential attendees of two upcoming global policy conferences, namely the Munich Security Conference and the Think 20 Summit, which is held in Saudi Arabia.

Microsoft disclosed today that Iranian state-sponsored hackers successfully hacked into the email accounts of multiple high-profile individuals and potential attendees at this year's Munich Security Conference and the Think 20 summit. "The attacks were successful in compromising several victims, including former ambassadors and other senior policy experts who help shape global agendas and foreign policies in their respective countries," Tom Burt, Corporate Vice President for Customer Security & Trust at Microsoft said earlier today.

According to recent reports from ClearSky and Symantec, MuddyWater recently added to its arsenal a downloader called PowGoop, which earlier this year was used in attacks employing the Thanos ransomware against an organization in the Middle East. "While we cannot confirm the connection, we believe the actors deploying the Thanos ransomware at the Middle Eastern state-run organization also used a downloader that we call PowGoop. The actors would use the PowGoop downloader to reach out to a remote server to download and execute additional PowerShell scripts," Palo Alto Networks noted in a September 4 report.

Microsoft is warning that an Iranian nation-state actor is now actively exploiting the Zerologon vulnerability, adding fuel to the fire as the severe flaw continues to plague businesses. Exploiting the bug allows an unauthenticated attacker, with network access to a domain controller, to completely compromise all Active Directory identity services, according to Microsoft.

The Iran-linked threat actor known as MuddyWater is actively targeting the Zerologon vulnerability in Windows Server, Microsoft warns. According to Microsoft, one of the latest changes in the group's tactics is the adoption of exploits for Zerologon, a Netlogon remote protocol vulnerability that was addressed in August 2020.