Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/26/2012
01:06 PM
50%
50%

Frankenstory: Attack Of The Iranian Cyber Warriors

Citing no hard evidence, U.S. government officials have been stoking fears that the Iranians are out to get us.

Who Is Hacking U.S. Banks? 8 Facts
Who Is Hacking U.S. Banks? 8 Facts
(click image for larger view and for slideshow)
Just in time for Halloween, there's a new bogeyman in town: the Iranian government-sponsored cyber attacker. As with other phantasms, related sightings are growing more numerous, though they remain unsubstantiated by hard evidence.

The appearance of this new and reportedly escalating threat comes after a recent lull that occurred thanks to the coordinated international law enforcement takedown of the LulzSec group and key members of the Anonymous hacktivist collective.

New players have move into that vacuum, including a group called the Cyber fighters of Izz ad-din Al qassam, which has claimed credit for the ongoing U.S. bank website disruptions. The group has said that its hacktivist-style distributed denial-of-service (DDoS) attacks will continue -- barring Muslim holy days -- until "Innocence of Muslims," the film that mocks the founder of Islam, gets excised from the Internet. Meanwhile, a self-described activist group, Cutting Sword of Justice, took credit for the Aug. 15 Shamoon malware attack against Saudi Aramco, which was designed to steal data and erase hard drives.

[ Read the latest on the U.S. bank hacks. See Fast Flux Botnet Nets Fraudsters $78 Million. ]

Despite the Anonymous takedowns, anonymity remains well in vogue. Start with U.S. government officials, who have been granting anonymous media interviews in which they assert that the Iranian government is behind the bank website disruptions as well as a series of wire-transfer attacks. In the latter case, the wire transfers -- aided by credential-grabbing malware and Zeus botnets--have let attackers transfer millions of dollars into overseas accounts.

Cue Iran as the culprit again for the Shamoon malware attack against the network of Saudi Aramco, which is the world's largest exporter of crude oil. Defense Secretary Leon Panetta said earlier this month that the attacks against Saudi Aramco managed to "virtually destroy" 30,000 PCs. An internal Saudi Aramco investigation more recently revised that estimate to 50,000 PCs. According to an August blog post by Eugene Mayevski, CTO of security firm EldoS, Shamoon also included a copy of the company's commercial master boot record wiper, RawDisk, which he guessed had been stolen from one of the company's customers.

Many observers read Panetta's speech as a thinly veiled threat against Iran, made as a nuclear standoff with Iran becomes more likely. The U.S. government is also reportedly developing contingency plans for a strike against Iran -- not of the cyber variety -- as the country improves its uranium-enrichment capabilities.

On the cyber-attack front, however, where's the hard evidence that ties Iran to all of these attacks? Well, that's classified. Furthermore, at least in the case of Shamoon, this week anonymous government officials admitted to Bloomberg that the evidence is only circumstantial.

But the case against Iran may not even be that, as digital forensic investigators this week also confirmed earlier reports that -- counter to U.S. government officials' assertions -- Shamoon was an amateurish, copycat Flame attack, carried out by a single individual. Thanks to the individual having incorrectly configured the malware, it not only did less damage than intended, but it helped investigators trace the infection back to a USB stick that had been plugged into the employee's PC while he was logged in. Saudi authorities, according to news reports, have arrested a suspect.

Panetta continued to insist this week that the Shamoon malware had been "a very sophisticated tool." To be charitable, that may have been true five years ago, but the state of the art in malware has rapidly advanced since then.

What's fueling those rapid advances? Start with Stuxnet, Duqu, Flame, MiniFlame, or any other government forays into cyber weapons. "This is where I get nervous: Oh, great, a massive training ground for criminals and other groups -- here's how you build a massive command-and-control center for criminal attacks," said Eric Byres, CTO of Belden's Tofino Security, in a recent phone interview.

In other words, tomorrow's crimeware update will likely incorporate tricks developed by our own country's cyber weapons program. Like so many Frankenstein monsters, what comes for us in the digital dead of night bears a startling resemblance to something of our own making.

Attackers are increasingly using a simple method for finding flaws in websites and applications: They Google them. Using Google code search, hackers can identify crucial vulnerabilities in application code strings, providing the entry point they need to break through application security. In our report, Using Google To Find Vulnerabilities In Your IT Environment, we outline methods for using search engines such as Google and Bing to identify vulnerabilities in your applications, systems and services--and to fix them before they can be exploited. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PJS880
50%
50%
PJS880,
User Rank: Ninja
10/30/2012 | 6:03:03 PM
re: Frankenstory: Attack Of The Iranian Cyber Warriors
Makes sense great marketing and hype for the holiday. You know for a minute I thought that there were groups of Muslim fundamentalists that were in huddled formations and set on attacking the US whenever possible, that's not true? I think that there is a big difference and the 2 should not be compared because the end results and goals are much different. I am referring to Anonymous, LulzSec to the like of Muslim fundamentalist groups there goals are completely different, meaning one is to inform the public while the other groups are set on destruction. I will let you guess which is which!

Paul Sprague
InformationWeek Contributor
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-24847
PUBLISHED: 2020-10-23
A Cross-Site Request Forgery (CSRF) vulnerability is identified in FruityWifi through 2.4. Due to a lack of CSRF protection in page_config_adv.php, an unauthenticated attacker can lure the victim to visit his website by social engineering or another attack vector. Due to this issue, an unauthenticat...
CVE-2020-24848
PUBLISHED: 2020-10-23
FruityWifi through 2.4 has an unsafe Sudo configuration [(ALL : ALL) NOPASSWD: ALL]. This allows an attacker to perform a system-level (root) local privilege escalation, allowing an attacker to gain complete persistent access to the local system.
CVE-2020-5990
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in the ShadowPlay component which may lead to local privilege escalation, code execution, denial of service or information disclosure.
CVE-2020-25483
PUBLISHED: 2020-10-23
An arbitrary command execution vulnerability exists in the fopen() function of file writes of UCMS v1.4.8, where an attacker can gain access to the server.
CVE-2020-5977
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in NVIDIA Web Helper NodeJS Web Server in which an uncontrolled search path is used to load a node module, which may lead to code execution, denial of service, escalation of privileges, and information disclosure.