Tag Archive for: Iran’s

Iran’s internet price rises, and so does the fear of greater censorship

/in


Iranians could pay up to 34% more for the internet in 2024 as providers get the green light from the government to increase their tariffs. 

Deemed as a move to balance persistent high levels of inflation, many commentators fear that less affordable internet rates could exacerbate ongoing issues with online censorship while discouraging citizens from accessing digital services.

Source…

‘BellaCiao’ Showcases How Iran’s Threat Groups Are Modernizing Their Malware

/in


A new malware strain that has been landing on systems belonging to organizations in the US, Europe, Turkey, and India has provided another indication of how Iran’s state-backed cyber-threat groups have been systematically modernizing their arsenals in recent years.

The malware, dubbed “BellaCiao,” is a dropper that Iran’s Charming Kitten advanced persistent threat (APT) group has been using in a highly targeted manner in recent months to gain and maintain unobtrusive initial access on target systems.

A Highly Customized Threat

Researchers at Bitdefender discovered the new malware when investigating activity related to three other recent malware tools associated with Charming Kitten. Their analysis of the malicious code — summarized in a blog post this week — uncovered a couple of features that set it apart from many other malware samples.

One was the specifically targeted nature of the dropper that ended up on each victim’s system. The other was BellaCiao’s unique and hard-to-detect style of communicating with its command-and-control (C2) server.

“Each sample we’ve collected is custom-built for each victim,” says Martin Zugec, technical solutions director at Bitdefender. Each sample includes hard-coded information that is specific to the victim organization, such as the company’s name, public IP addresses, and specially crafted subdomains.

Charming Kitten’s apparent intention in making the malware victim-specific is to blend in on host systems and networks, Zugec says. For instance, the subdomains and IP addresses the malware uses in interacting with the C2 are similar to the real domain and public IP addresses of the victim. Bitdefender’s analysis of the malware’s build information showed its authors had organized victims in different folders with names that indicated the countries in which they were located. The security vendor found that Charming Kitten actors used victim-optimized versions of BellaCiao, even when the target victim was from a noncritical sector.

Unique Approach to Receiving C2 Commands

Zugec says the manner in which BellaCiao interacts with the C2 server and receives command from it is also unique. “The communication between implant and C2 infrastructure is based…

Source…

The Challenge of Cracking Iran’s Internet Blockade

/in


Some communication services have systems in place for attempting to skirt digital blockades. The secure messaging app Signal, for example, offers tools so people around the world can set up proxy servers that securely relay Signal traffic to bypass government filters. Proxy service has previously only been available for Signal on Android, but the platform added iOS support on Wednesday. 

Still, if people in Iran don’t already have the Signal app installed on their phones or haven’t registered their phone numbers, the connectivity outages make it difficult to download the app or receive the SMS code used for account setup. Android users who can’t connect to Google Play can also download the app directly from Signal’s website, but this creates the possibility that malicious versions of the Signal app could circulate on other forums and trick people into downloading them. In an attempt to address this, the Signal Foundation created the email address “[email protected]” that people can message to request a safe copy of the app. 

The anonymity service Tor is largely inaccessible in Iran, but some activists are working to establish Tor bridges within Iran to connect internal country networks to the global platform. The work is difficult without infrastructure and resources, though, and is extremely dangerous if the regime detects the activity. Similarly, other efforts to establish clandestine infrastructure within the country are fraught because they often require too much technical expertise for a layperson to carry out safely. Echoing the issue with safely downloading apps like Signal, it can also be difficult for people to determine whether circumvention measures they learn about are legitimate or tainted.

Users in Iran have also been leaning on other services that have proxies built in. For example, Firuzeh Mahmoudi, executive director of the US-based nonprofit United for Iran, says that the law enforcement-tracking app Gershad has been in heavy use during the connectivity blackouts. The app, which has been circulating in Iran since 2016 and is now developed by United for Iran, lets users crowdsource information about the movements of the regime’s “morality…

Source…

Iran’s Lyceum threat group active against telcos, ISPs. Clopp hits unpatched SolarWinds instances. Mercenaries. Patch Tuesday.

/in


Attacks, Threats, and Vulnerabilities

Iranian cyber group targets Israel, Saudis, Africans – report ( The Jerusalem Post | JPost.com ) An Iranian hacker group called Lyceum has targeted Israel, Saudi Arabia, Morocco, Tunisia and others.

Exclusive: A Cyber Mercenary Is Hacking The Google And Telegram Accounts Of Presidential Candidates, Journalists And Doctors (Forbes) An unprecedented peek inside an underground hacker-for-hire operation reveals 3,500 targets, including Belarusian presidential candidates, Uzbek human rights activists and a cryptocurrency exchange.

Clop gang exploiting SolarWinds Serv-U flaw in ransomware attacks (BleepingComputer) The Clop ransomware gang, also tracked as TA505 and FIN11, is exploiting a SolarWinds Serv-U vulnerability to breach corporate networks and ultimately encrypt its devices.

TA505 exploits SolarWinds Serv-U vulnerability (CVE-2021-35211) for initial access (NCC Group Research) NCC Group’s global Cyber Incident Response Team has observed an increase in Clop ransomware victims in the past weeks. The surge can be traced back to a vulnerability in SolarWinds Serv-U that is being abused by the TA505 threat actor. TA505 is a known cybercrime threat actor, who is known for extortion attacks using the Clop ransomware. We believe exploiting such vulnerabilities is a recent initial access technique for TA505, deviating from the actor’s usual phishing-based approach.

Russian Cybercrime Group Exploits SolarWinds Serv-U Vulnerability (SecurityWeek) The Russia-linked ‘Evil Corp’ cybercrime group has been exploiting a vulnerability in SolarWinds Serv-U for initial infection.

Vulnerable smart contracts and fake blockchains: What do investors need to know? (Digital Shadows) Well, here we are again. Another blog on a topic that’s often spoken about but little understood: cryptocurrency. Cryptocurrency-related decentralized finance (DeFi) is seeing unprecedented interest from retail and institutional investors alike.

FBI: Scams Involving Cryptocurrency ATMs and QR Codes on the Rise (SecurityWeek) The Federal Bureau of Investigation (FBI) this week issued an alert on fraud schemes that direct victims to use cryptocurrency ATMs and Quick Response (QR) codes to…

Source…