Sunday, May 26, 2024
HomeNewsIranian Firms and Accomplices in Cyber Attack Sanctioned by U.S. Treasury

Iranian Firms and Accomplices in Cyber Attack Sanctioned by U.S. Treasury

The United States treasury has taken a significant step by sanctioning an Iranian firm and individuals involved in a severe cyber attack. The statement emphasizes the gravity of the situation, stating that these actors targeted more than a dozen U.S. companies and government entities through sophisticated cyber operations, including spear-phishing and malware attacks. The information released on Monday by OFAC highlighted two firms (Mehrsam Andisheh Saz Nik (MASN) and Dadeh Afzar Arman (DAA)) and four individuals (Alireza Shafie Nasab, Reza Kazemifar Rahman, Hossein Mohammad Harooni, and Komeil Baradaran Salmani) linked to the cyber activities on behalf of the Iranian Islamic Revolutionary Guard Corps Cyber Electronic Command (IRGC-CEC). The Department of Justice has also promised a reward of $10 million for anyone with valuable information on the identification or location of the group and their defendants.

Cybersecurity Researchers Unveiled the Multistage Attack Hijacking Systems with SSLoad, Cobalt Strike.

According to reports by cybersecurity researchers, the cyber threat actors are not limited to a specific region but are leveraging phishing emails in a global campaign named FROZEN#SHADOW by Securonix to deliver SSLoad malware. Details about the operations by the researchers state that “SSLoad is designed to stealthily infiltrate systems, gather sensitive information and transmit its findings back to its operators, once inside the system, SSLoad deploys multiple backdoors and payloads to maintain persistence and avoid detection.” Further details about the attack chain also revealed the attack is more focused on Asia, Europe, and the Americas. The phishing email contains links leading to the retrieval of a JavaScript that triggers the infection.

Over 1 Billion Chinese Keyboard App Users Keystrokes Exposed in a Major Security Flaw

The findings from the Citizen Lab uncovered a security vulnerability in cloud-based pinyin keyboard application which could potentially aid threat actors in obtaining users keystrokes, thereby compromising their personal data. The discovery showed the weakness in nine apps from some top vendors like Baidu, Honor, iFlytek, Tencent, Vivo, Samsung, OPPO, and Xiaomi leaving behind Huawei as the only uncompromised vendor. Statements from the researchers revealed the vulnerabilities could aid entire revelation of users’ keystroke in transit.

Below are the identified issues:

  • Tencent QQ Pinyin, which is vulnerable to a CBC padding oracle attack that could make it possible to recover plaintext.
  • Baidu IME allows network eavesdroppers to decrypt network transmissions and extract the typed text on Windows owing to a bug in the BAIDUv3.1 encryption protocol.
  • iFlytek IME’s Android app allows network eavesdroppers to recover the plaintext of insufficiently encrypted network transmissions.
  • Samsung Keyboard on Android transmits keystroke data via plain, unencrypted HTTP.
  • Xiaomi, which comes preinstalled with keyboard apps from Baidu, iFlytek, and Sogou.
  • OPPO, which comes preinstalled with keyboard apps from Baidu and Sogou.
  • Vivo, which comes preinstalled with Sogou IME.
  • Honor, which comes preinstalled with Baidu IME.

eScan Antivirus Update Mechanism Becomes Threat Actors’ Tool for Spreading Backdoors and Miners

According to reports from cybersecurity researchers, there is a new malware campaign leveraging the updating mechanism of the eScan antivirus software to target corporate networks and distribute backdoors and cryptocurrency. Avast, a cybersecurity firm, confirms the activity’s origin may be from a North Korean hacking group called Kimsuky, also known as Black Banshee, Emerald Sleet, and TA427. More details from the cybersecurity firm confirm the threat, which is GuptiMiner. This famous, highly sophisticated threat uses an interesting infection chain with a couple of techniques, including performing DNS requests to the attacker’s DNS servers, sideloading, extracting payloads from innocent-looking images, and signing its payloads with a custom trusted root anchor certification authority, among others.

 

RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Most Popular