Endpoint

4/27/2017
02:10 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Iranian Hackers Believed Behind Massive Attacks on Israeli Targets

OilRig aka Helix Kitten nation-state group leveraged Microsoft zero-day bug in targeted attacks.

A massive targeted cyber espionage campaign against major Israeli institutions and government officials underscores just how far an Iranian nation-state hacking machine has come.

The Israeli Cyber Defense Authority yesterday announced that it believes Iran was behind the a series of targeted attacks against some 250 individuals between April 19 and 24 in government agencies, high-tech companies, medical organizations, and educational institutions including the renowned Ben-Gurion University. The attackers – whom security experts say are members of the so-called OilRig aka Helix Kitten aka NewsBeef nation-state hacking group in Iran -- used stolen email accounts from Ben-Gurion to send their payload to victims.

"This is the largest and most sophisticated attack they've [OilRig] ever performed," says Michael Gorelik, vice president of R&D for Morphisec, who studied the attacks and confirms that the final stage was thwarted for the most part. "It was a major information-gathering [operation]," he says.

OilRig has been rapidly maturing since it kicked off operations around 2015. The attack campaign against Israeli targets employed the just-patched Microsoft CVE-2017-0199 remote code execution vulnerability in the Windows Object Linking and Embedding (OLE) application programming interface. This flaw had been weaponized in attacks prior to the patch, including Dridex banking Trojan and botnet attacks, and in at least one other cyber espionage campaign.

This technique by OilRig is a step up from the group's previous MO of using malicious macros to spread malware, where it employed Microsoft Excel and Word files that required the victim to enable macros to get infected with malware. But this time around, no macros were necessary: the files contained an exploit via an embedded link packed with an HTML executable, according to researchers at Israeli security firm Morphisec who studied the new attacks.

OilRig managed to catch the victims during the patching window between when Microsoft issues a security update and organizations actually roll out the patch, security experts say. "The most important difference is that the use of macros was exchanged with a vulnerability exploit. With their ability to set up the attack in a relatively short time, the threat actors could correctly speculate that their window of opportunity between patch release and patch rollout was still open," according to Morphisec's blog post today.

The hacking group also was likely behind an attack campaign in January that employed a phony Juniper Networks VPN portal as well as phony websites purporting to be the University of Oxford, from which the attackers dropped malware.

Adam Meyers, vice president of intelligence at CrowdStrike, which has named this Iranian hacker group Helix Kitten, says the group has been advanced for some time. "There's this misconception that they weren't sophisticated before," he says. "This group has been active since 2015 and gone after aviation, energy, financial, and government" targets in various regions and countries, including the United Arab Emirates, Turkey, and Qatar, he says.

OilRig/Helix Kitten was not the first attack group to weaponize the Microsoft CVE-2017-0199 remote code execution vulnerability before it was patched, he notes, pointing to attacks in Ukraine, China, and in the US earlier this year. "It's unusual to see multiple threat actors pick up" a zero-day, he says, which could hint that of an 0day broker selling it to multiple "customers."

Meantime, Morphisec's Gorelik says in the latest round of attacks, OilRig employed a customized version of the open-source Mimikatz tool, which gives hackers access to user credentials in the Windows Local Security Authority Subsystem Service.

OilRig is among the ranks of nation-state gangs using open-source hacking tools. Kurt Baumgartner, principal security researcher for Kaspersky Lab's Global Research and Analysis Team, says OilRig, which Kaspersky calls NewsBeef, in the past year has relied heavily on open-source hacking tools, namely  BeEF for exploiting holes in browsers; Unicorn for PowerShell-type attacks; and on Pupy, for planting a remote administration tool, or RAT. That's a far cry from its earlier days, when it relied on social engineering accounts to target victims. "NewsBeef is not well-resourced, so this enables them to up their game," he says.

Politics 

Most of Iran's targets over the past few months have been in the Middle East – namely its nemesis Saudi Arabia – but this pivot to Israel should be a red flag to other nations embroiled in geopolitical conflict with Iran, such as the US, security experts say.

Tom Kellermann, CEO of Strategic Cyber Ventures, says the attacks indeed illustrate how Iran's nation-state hacking machine has evolved and advanced. He attributes this transformation to Russian advisors assisting Iranian hackers. Look for OilRig to go West soon, too, he says.

"Oilrig will tendril West to the USA due to the Secretary of State and President's visceral statements on Iran over that past month. The Iranians are not alone, as the Russian Pawn Storm [nation-state hacking] campaign will dramatically ratchet up due to tensions with US and NATO per the Baltics and the French election," he says.

Their attacks also may be more destructive, including data-wiping: "To this point these actors will be more inclined to burn the evidence and house … [the] network via destructive counter-IR [incident response] 'integrity attacks,'" which could hamper IR efforts and investigations, he says. "I am concerned that watering-hole attacks will increase, delivering 0days and wiper malware."

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where Dark Reading editors and some of the industry's top cybersecurity experts will share the latest data security trends and best practices.]

Related Content:

 

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
4/28/2017 | 1:16:41 PM
Re: State hacking
Yes--they had been underestimated for some time now, but that is changing.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/28/2017 | 11:15:05 AM
0 days
 

Zero days become more effective and destructive, that is what hackers are after since companies are able to close vulnerability quickly anymore.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/28/2017 | 11:13:06 AM
Word/Excel?
Everything starts with the end users apparently, Microsoft may need to do a more security test then what it is doing now obviously. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/28/2017 | 11:09:40 AM
State hacking
It sounds like Iranians are strong when it comes to state hacking. 
'Hidden Tunnels' Help Hackers Launch Financial Services Attacks
Kelly Sheridan, Staff Editor, Dark Reading,  6/20/2018
Inside a SamSam Ransomware Attack
Ajit Sancheti, CEO and Co-Founder, Preempt,  6/20/2018
Tesla Employee Steals, Sabotages Company Data
Jai Vijayan, Freelance writer,  6/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-12697
PUBLISHED: 2018-06-23
A NULL pointer dereference (aka SEGV on unknown address 0x000000000000) was discovered in work_stuff_copy_to_from in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30. This can occur during execution of objdump.
CVE-2018-12698
PUBLISHED: 2018-06-23
demangle_template in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30, allows attackers to trigger excessive memory consumption (aka OOM) during the "Create an array for saving the template argument values" XNEWVEC call. This can occur during execution of objdump.
CVE-2018-12699
PUBLISHED: 2018-06-23
finish_stab in stabs.c in GNU Binutils 2.30 allows attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact, as demonstrated by an out-of-bounds write of 8 bytes. This can occur during execution of objdump.
CVE-2018-12700
PUBLISHED: 2018-06-23
A Stack Exhaustion issue was discovered in debug_write_type in debug.c in GNU Binutils 2.30 because of DEBUG_KIND_INDIRECT infinite recursion.
CVE-2018-11560
PUBLISHED: 2018-06-23
The webService binary on Insteon HD IP Camera White 2864-222 devices has a stack-based Buffer Overflow leading to Control-Flow Hijacking via a crafted usr key, as demonstrated by a long remoteIp parameter to cgi-bin/CGIProxy.fcgi on port 34100.