Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

5/13/2014
02:37 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Anatomy Of The New Iranian APT

Former Iranian hacktivist operation evolves into cyber espionage with 'Operation Saffron Rose.'

A newly unearthed attack campaign out of Iran targeting US defense contractors and Iranian dissidents confirms that Iran has expanded its cyberoffense capability and strategy far beyond its signature politically themed website defacements -- into a full-blown cyber espionage operation.

The so-called "Operation Saffron Rose" series of attacks detailed today by FireEye demonstrates a more mature and rapidly evolving Iranian threat. The group behind the attacks, the Ajax Security Team, has moved from a defacement-happy operation in the name of political activism to a cyber espionage operation that in its own right has all the earmarks of an advanced persistent threat (APT), according to FireEye.

The Iranian Ajax Security Team, which last defaced a website last December, uses spearphishing attacks that include one purportedly from the IEEE's aerospace conference, as well as spoofed Microsoft Outlook Web Access and VPN login pages aimed at stealing user credentials from defense contractors and other members of the defense industry.

The group is also targeting Iranian dissidents within the nation as well as in other countries, using legitimate anti-censorship software tools as a lure. They laced two popular such tools, Psiphon and Ultrasurf, with malware, and FireEye found information on some 77 resulting victims on one Saffron Rose command-and-control server. FireEye says the Ajax Security Team is likely backed by the Iranian government, and its founders appear to be two members -- "HUrr!c4nE!" and "Cair3x" -- who had been involved in the website defacement operations.

The Ajax Security Team today was made up of somewhere between five and 10 individuals, says Darien Kindlund, director of threat research at FireEye. And it's not the only such cyber espionage group in Iran: "We believe there are others based in Iran," Kindlund says.

But Iran's APT operation is not quite as sophisticated as that of China. The Ajax Security Team operates more as a jack of all trades, Kindlund says. "In China, you have one group focused on going after aerospace or [defense], one group focusing on going after dissident activity, and another selling this [information] to third parties," he says. "But... Ajax Security Team is doing all three."

That's more a reflection of Iran not having quite as mature a cyberspying operation as China, he says. "What we are likely to see over time [is] these groups will become more specialized as they proliferate."

The gang employs private malware tools, but stops short of using exploit code to infect it victims, instead relying on the user to perform certain tasks such as downloading an executable or entering his or her credentials. With the IEEE aerospace conference spearphish, for example, the victim had to log in to register for the conference. "It's not like a drive-by exploit while visiting a web page. The victim would have to go through a number of hoops," Kindlund says.

Chinese APTs, meanwhile, automate that process by dropping exploits on the victim without his or her having to take any actions to run the executable file; just downloading a weaponized PDF does the trick for example, according to Kindlund.

"Those who were infected [by Saffron Rose] had to jump through a lot of hoops to get there," and that makes it harder for Iran's team to infect users, he says.

FireEye was unable to determine if Ajax Security Team is part of a bigger operation, or is a separate group. Members of the gang may be also be moonlighting in cybercrime, the report says.

"It [Iran] has certainly evolved. The methods they are using now to conduct their operations are in many ways equivalent to that of a nation-state sponsored group, with the purpose and objective of some sort of espionage activity," Kindlund says.

The gang developed its own custom malware, and encrypts stolen data as it siphons it from its victims. But even its encryption approach is a bit rudimentary: "They're using symmetrical encryption to do all the exfiltration," where the same key is used to encrypt and decrypt data, he says. "The key is hardcoded into all copies of the malware... It seems they don't have a strong grasp of encryption."

FireEye found no evidence of the gang's connection to the Shamoon data-destruction attacks two years ago that appear to have been behind attacks on Saudi Aramco and Qatar's RasGas.

Shamoon, which security experts say came out of attackers in Iran, was the first big departure for the nation's hackers from wreaking havoc with a defacement or DDoS, to full-blown annihilation of information. Shamoon has been unofficially linked to the massive breach at oil giant Saudi Aramco that took down 30,000 of its workstations by deleting and wiping files and overwriting the victim's master boot record.

"They are improving" their capabilities, says Jaime Blasco, director of AlienVault Labs, of the Iranian hackers.

Blasco says he wouldn't be surprised if there was some relation between those attacks and the Ajax Security Team. "I can imagine that the Iranian hacker community is not that big, so they are probably related" in some way, he says.

"We don't have enough evidence to tie them to Shamoon," FireEye's Kindlund says. But like Blasco, he says he wouldn't be shocked to find there was some connection.

[Old-school but painful data-destroying malware attacks in the Middle East a red flag to revisit incident response, recovery. Read The Data-Annihilation Attack Is Back, here.]

The Ajax Security Team has roots in Iranian hacker forums, including Ashiyyane and Shabgard.

The full FireEye report is available here.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
5/14/2014 | 11:53:10 AM
Re: Keys behind the encryption
I'm not surprised that first ... Iran is a Government of all has suffered an attack of cyber war. They are aware of the effects of a cyber attack and, as many other governments, they are improving their cyber capabilities.

Be aware they aren't the unique ones ... North Korean, Pakistan and Syria are also very dangerous.

 
Everseeker
50%
50%
Everseeker,
User Rank: Apprentice
5/14/2014 | 10:16:22 AM
Re: Keys behind the encryption
At least they have not been able to execute the CMOS Firmware destruction protocol (I am not aware of any group that has... yet)

 
IMjustinkern
50%
50%
IMjustinkern,
User Rank: Strategist
5/13/2014 | 5:09:15 PM
Keys behind the encryption
Amazing that with all of the chatter and importance put on encryption, all "sides" of the data security sphere are so lax with the keys aspect. Something missing from all of the recent Snowden SXSW hoopla and "encrypt everything" movement is a better understanding on the key management role of keeping control over encryption. In this instance, I suppose though, there may be a broader benefit to key lapses.
Microsoft Patches Wormable RCE Vulns in Remote Desktop Services
Kelly Sheridan, Staff Editor, Dark Reading,  8/13/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15132
PUBLISHED: 2019-08-17
Zabbix through 4.4.0alpha1 allows User Enumeration. With login requests, it is possible to enumerate application usernames based on the variability of server responses (e.g., the "Login name or password is incorrect" and "No permissions for system access" messages, or just blocki...
CVE-2019-15133
PUBLISHED: 2019-08-17
In GIFLIB before 2019-02-16, a malformed GIF file triggers a divide-by-zero exception in the decoder function DGifSlurp in dgif_lib.c if the height field of the ImageSize data structure is equal to zero.
CVE-2019-15134
PUBLISHED: 2019-08-17
RIOT through 2019.07 contains a memory leak in the TCP implementation (gnrc_tcp), allowing an attacker to consume all memory available for network packets and thus effectively stopping all network threads from working. This is related to _receive in sys/net/gnrc/transport_layer/tcp/gnrc_tcp_eventloo...
CVE-2019-14937
PUBLISHED: 2019-08-17
REDCap before 9.3.0 allows time-based SQL injection in the edit calendar event via the cal_id parameter, such as cal_id=55 and sleep(3) to Calendar/calendar_popup_ajax.php. The attacker can obtain a user's login sessionid from the database, and then re-login into REDCap to compromise all data.
CVE-2019-13069
PUBLISHED: 2019-08-17
extenua SilverSHielD 6.x fails to secure its ProgramData folder, leading to a Local Privilege Escalation to SYSTEM. The attacker must replace SilverShield.config.sqlite with a version containing an additional user account, and then use SSH and port forwarding to reach a 127.0.0.1 service.