Attacks/Breaches

10/26/2012
01:06 PM
50%
50%

Frankenstory: Attack Of The Iranian Cyber Warriors

Citing no hard evidence, U.S. government officials have been stoking fears that the Iranians are out to get us.

Who Is Hacking U.S. Banks? 8 Facts
Who Is Hacking U.S. Banks? 8 Facts
(click image for larger view and for slideshow)
Just in time for Halloween, there's a new bogeyman in town: the Iranian government-sponsored cyber attacker. As with other phantasms, related sightings are growing more numerous, though they remain unsubstantiated by hard evidence.

The appearance of this new and reportedly escalating threat comes after a recent lull that occurred thanks to the coordinated international law enforcement takedown of the LulzSec group and key members of the Anonymous hacktivist collective.

New players have move into that vacuum, including a group called the Cyber fighters of Izz ad-din Al qassam, which has claimed credit for the ongoing U.S. bank website disruptions. The group has said that its hacktivist-style distributed denial-of-service (DDoS) attacks will continue -- barring Muslim holy days -- until "Innocence of Muslims," the film that mocks the founder of Islam, gets excised from the Internet. Meanwhile, a self-described activist group, Cutting Sword of Justice, took credit for the Aug. 15 Shamoon malware attack against Saudi Aramco, which was designed to steal data and erase hard drives.

[ Read the latest on the U.S. bank hacks. See Fast Flux Botnet Nets Fraudsters $78 Million. ]

Despite the Anonymous takedowns, anonymity remains well in vogue. Start with U.S. government officials, who have been granting anonymous media interviews in which they assert that the Iranian government is behind the bank website disruptions as well as a series of wire-transfer attacks. In the latter case, the wire transfers -- aided by credential-grabbing malware and Zeus botnets--have let attackers transfer millions of dollars into overseas accounts.

Cue Iran as the culprit again for the Shamoon malware attack against the network of Saudi Aramco, which is the world's largest exporter of crude oil. Defense Secretary Leon Panetta said earlier this month that the attacks against Saudi Aramco managed to "virtually destroy" 30,000 PCs. An internal Saudi Aramco investigation more recently revised that estimate to 50,000 PCs. According to an August blog post by Eugene Mayevski, CTO of security firm EldoS, Shamoon also included a copy of the company's commercial master boot record wiper, RawDisk, which he guessed had been stolen from one of the company's customers.

Many observers read Panetta's speech as a thinly veiled threat against Iran, made as a nuclear standoff with Iran becomes more likely. The U.S. government is also reportedly developing contingency plans for a strike against Iran -- not of the cyber variety -- as the country improves its uranium-enrichment capabilities.

On the cyber-attack front, however, where's the hard evidence that ties Iran to all of these attacks? Well, that's classified. Furthermore, at least in the case of Shamoon, this week anonymous government officials admitted to Bloomberg that the evidence is only circumstantial.

But the case against Iran may not even be that, as digital forensic investigators this week also confirmed earlier reports that -- counter to U.S. government officials' assertions -- Shamoon was an amateurish, copycat Flame attack, carried out by a single individual. Thanks to the individual having incorrectly configured the malware, it not only did less damage than intended, but it helped investigators trace the infection back to a USB stick that had been plugged into the employee's PC while he was logged in. Saudi authorities, according to news reports, have arrested a suspect.

Panetta continued to insist this week that the Shamoon malware had been "a very sophisticated tool." To be charitable, that may have been true five years ago, but the state of the art in malware has rapidly advanced since then.

What's fueling those rapid advances? Start with Stuxnet, Duqu, Flame, MiniFlame, or any other government forays into cyber weapons. "This is where I get nervous: Oh, great, a massive training ground for criminals and other groups -- here's how you build a massive command-and-control center for criminal attacks," said Eric Byres, CTO of Belden's Tofino Security, in a recent phone interview.

In other words, tomorrow's crimeware update will likely incorporate tricks developed by our own country's cyber weapons program. Like so many Frankenstein monsters, what comes for us in the digital dead of night bears a startling resemblance to something of our own making.

Attackers are increasingly using a simple method for finding flaws in websites and applications: They Google them. Using Google code search, hackers can identify crucial vulnerabilities in application code strings, providing the entry point they need to break through application security. In our report, Using Google To Find Vulnerabilities In Your IT Environment, we outline methods for using search engines such as Google and Bing to identify vulnerabilities in your applications, systems and services--and to fix them before they can be exploited. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
PJS880
50%
50%
PJS880,
User Rank: Ninja
10/30/2012 | 6:03:03 PM
re: Frankenstory: Attack Of The Iranian Cyber Warriors
Makes sense great marketing and hype for the holiday. You know for a minute I thought that there were groups of Muslim fundamentalists that were in huddled formations and set on attacking the US whenever possible, that's not true? I think that there is a big difference and the 2 should not be compared because the end results and goals are much different. I am referring to Anonymous, LulzSec to the like of Muslim fundamentalist groups there goals are completely different, meaning one is to inform the public while the other groups are set on destruction. I will let you guess which is which!

Paul Sprague
InformationWeek Contributor
Four Faces of Fraud: Identity, 'Fake' Identity, Ransomware & Digital
David Shefter, Chief Technology Officer at Ziften Technologies,  6/14/2018
Meet 'Bro': The Best-Kept Secret of Network Security
Greg Bell, CEO, Corelight,  6/14/2018
Containerized Apps: An 8-Point Security Checklist
Jai Vijayan, Freelance writer,  6/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-9036
PUBLISHED: 2018-06-20
CheckSec Canopy 3.x before 3.0.7 has stored XSS via the Login Page Disclaimer, allowing attacks by low-privileged users against higher-privileged users.
CVE-2018-12327
PUBLISHED: 2018-06-20
Stack-based buffer overflow in ntpq and ntpdc of NTP version 4.2.8p11 allows an attacker to achieve code execution or escalate to higher privileges via a long string as the argument for an IPv4 or IPv6 command-line parameter. NOTE: It is unclear whether there are any common situations in which ntpq ...
CVE-2018-12558
PUBLISHED: 2018-06-20
The parse() method in the Email::Address module through 1.909 for Perl is vulnerable to Algorithmic complexity on specially prepared input, leading to Denial of Service. Prepared special input that caused this problem contained 30 form-field characters ("\f").
CVE-2018-6563
PUBLISHED: 2018-06-20
Multiple cross-site request forgery (CSRF) vulnerabilities in totemomail Encryption Gateway before 6.0.0_Build_371 allow remote attackers to hijack the authentication of users for requests that (1) change user settings, (2) send emails, or (3) change contact information by leveraging lack of an anti...
CVE-2018-1120
PUBLISHED: 2018-06-20
A flaw was found affecting the Linux kernel before version 4.17. By mmap()ing a FUSE-backed file onto a process's memory containing command line arguments (or environment strings), an attacker can cause utilities from psutils or procps (such as ps, w) or any other program which makes a read() call t...