Attacks/Breaches
10/26/2012
01:06 PM
Connect Directly
RSS
E-Mail
50%
50%

Frankenstory: Attack Of The Iranian Cyber Warriors

Citing no hard evidence, U.S. government officials have been stoking fears that the Iranians are out to get us.

Who Is Hacking U.S. Banks? 8 Facts
Who Is Hacking U.S. Banks? 8 Facts
(click image for larger view and for slideshow)
Just in time for Halloween, there's a new bogeyman in town: the Iranian government-sponsored cyber attacker. As with other phantasms, related sightings are growing more numerous, though they remain unsubstantiated by hard evidence.

The appearance of this new and reportedly escalating threat comes after a recent lull that occurred thanks to the coordinated international law enforcement takedown of the LulzSec group and key members of the Anonymous hacktivist collective.

New players have move into that vacuum, including a group called the Cyber fighters of Izz ad-din Al qassam, which has claimed credit for the ongoing U.S. bank website disruptions. The group has said that its hacktivist-style distributed denial-of-service (DDoS) attacks will continue -- barring Muslim holy days -- until "Innocence of Muslims," the film that mocks the founder of Islam, gets excised from the Internet. Meanwhile, a self-described activist group, Cutting Sword of Justice, took credit for the Aug. 15 Shamoon malware attack against Saudi Aramco, which was designed to steal data and erase hard drives.

[ Read the latest on the U.S. bank hacks. See Fast Flux Botnet Nets Fraudsters $78 Million. ]

Despite the Anonymous takedowns, anonymity remains well in vogue. Start with U.S. government officials, who have been granting anonymous media interviews in which they assert that the Iranian government is behind the bank website disruptions as well as a series of wire-transfer attacks. In the latter case, the wire transfers -- aided by credential-grabbing malware and Zeus botnets--have let attackers transfer millions of dollars into overseas accounts.

Cue Iran as the culprit again for the Shamoon malware attack against the network of Saudi Aramco, which is the world's largest exporter of crude oil. Defense Secretary Leon Panetta said earlier this month that the attacks against Saudi Aramco managed to "virtually destroy" 30,000 PCs. An internal Saudi Aramco investigation more recently revised that estimate to 50,000 PCs. According to an August blog post by Eugene Mayevski, CTO of security firm EldoS, Shamoon also included a copy of the company's commercial master boot record wiper, RawDisk, which he guessed had been stolen from one of the company's customers.

Many observers read Panetta's speech as a thinly veiled threat against Iran, made as a nuclear standoff with Iran becomes more likely. The U.S. government is also reportedly developing contingency plans for a strike against Iran -- not of the cyber variety -- as the country improves its uranium-enrichment capabilities.

On the cyber-attack front, however, where's the hard evidence that ties Iran to all of these attacks? Well, that's classified. Furthermore, at least in the case of Shamoon, this week anonymous government officials admitted to Bloomberg that the evidence is only circumstantial.

But the case against Iran may not even be that, as digital forensic investigators this week also confirmed earlier reports that -- counter to U.S. government officials' assertions -- Shamoon was an amateurish, copycat Flame attack, carried out by a single individual. Thanks to the individual having incorrectly configured the malware, it not only did less damage than intended, but it helped investigators trace the infection back to a USB stick that had been plugged into the employee's PC while he was logged in. Saudi authorities, according to news reports, have arrested a suspect.

Panetta continued to insist this week that the Shamoon malware had been "a very sophisticated tool." To be charitable, that may have been true five years ago, but the state of the art in malware has rapidly advanced since then.

What's fueling those rapid advances? Start with Stuxnet, Duqu, Flame, MiniFlame, or any other government forays into cyber weapons. "This is where I get nervous: Oh, great, a massive training ground for criminals and other groups -- here's how you build a massive command-and-control center for criminal attacks," said Eric Byres, CTO of Belden's Tofino Security, in a recent phone interview.

In other words, tomorrow's crimeware update will likely incorporate tricks developed by our own country's cyber weapons program. Like so many Frankenstein monsters, what comes for us in the digital dead of night bears a startling resemblance to something of our own making.

Attackers are increasingly using a simple method for finding flaws in websites and applications: They Google them. Using Google code search, hackers can identify crucial vulnerabilities in application code strings, providing the entry point they need to break through application security. In our report, Using Google To Find Vulnerabilities In Your IT Environment, we outline methods for using search engines such as Google and Bing to identify vulnerabilities in your applications, systems and services--and to fix them before they can be exploited. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PJS880
50%
50%
PJS880,
User Rank: Ninja
10/30/2012 | 6:03:03 PM
re: Frankenstory: Attack Of The Iranian Cyber Warriors
Makes sense great marketing and hype for the holiday. You know for a minute I thought that there were groups of Muslim fundamentalists that were in huddled formations and set on attacking the US whenever possible, that's not true? I think that there is a big difference and the 2 should not be compared because the end results and goals are much different. I am referring to Anonymous, LulzSec to the like of Muslim fundamentalist groups there goals are completely different, meaning one is to inform the public while the other groups are set on destruction. I will let you guess which is which!

Paul Sprague
InformationWeek Contributor
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6306
Published: 2014-08-22
Unspecified vulnerability on IBM Power 7 Systems 740 before 740.70 01Ax740_121, 760 before 760.40 Ax760_078, and 770 before 770.30 01Ax770_062 allows local users to gain Service Processor privileges via unknown vectors.

CVE-2014-0232
Published: 2014-08-22
Multiple cross-site scripting (XSS) vulnerabilities in framework/common/webcommon/includes/messages.ftl in Apache OFBiz 11.04.01 before 11.04.05 and 12.04.01 before 12.04.04 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, which are not properly handled in a (1)...

CVE-2014-3525
Published: 2014-08-22
Unspecified vulnerability in Apache Traffic Server 4.2.1.1 and 5.x before 5.0.1 has unknown impact and attack vectors, possibly related to health checks.

CVE-2014-3563
Published: 2014-08-22
Multiple unspecified vulnerabilities in Salt (aka SaltStack) before 2014.1.10 allow local users to have an unspecified impact via vectors related to temporary file creation in (1) seed.py, (2) salt-ssh, or (3) salt-cloud.

CVE-2014-3587
Published: 2014-08-22
Integer overflow in the cdf_read_property_info function in cdf.c in file through 5.19, as used in the Fileinfo component in PHP before 5.4.32 and 5.5.x before 5.5.16, allows remote attackers to cause a denial of service (application crash) via a crafted CDF file. NOTE: this vulnerability exists bec...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.