Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

7/25/2018
04:28 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Iranian Hacker Group Waging Widespread Espionage Campaign in Middle East

Unlike other threat actors that have a narrow set of targets, Leafminer has over 800 organizations in its sights, Symantec says.

Leafminer, a threat actor that appears to be operating out of Iran, is conducting a wide-ranging cyber espionage campaign against organizations in the Middle East using a mix of publicly available tools and custom malware.

While the group's technical capabilities are average at best in comparison to other advanced persistent threat (APT) actors, its goals seem far more ambitious, according to Symantec, which has been studying the group.

The security vendor's analysis of Leafminer's activities shows the group has run targeted vulnerability scans against as many as 809 organizations across multiple industries in Saudi Arabia, United Arab Emirates, Egypt, Kuwait, Israel, and other countries in the Middle East.

The group's major focus areas appear to be organizations in the financial, government, and petrochemical sectors, with half of its targest in those industries. Other targets include shipping and transportation, food services, utilities, and construction. Leafminer mostly has gone after email data, files, and database servers.

"[Leafminer's] ambitious goal of targeting at least 800 different organizations across the Middle East is what sets them apart," from other threat actors, says Vikram Thakur, technical director at Symantec. Most APT campaigns are typically focused on a far smaller set of entities with shared geopolitical interests.  

"As a group, Leafminer highlights the need for organizations to better protect their public-facing network infrastructure against known vulnerabilities and attack tools," he says. Thakur estimates that Leafminer has conducted targeted attacks against dozens of organizations from the list of over 800 organizations against which it has run vulnerability scans.

Leafminer is the latest example of the increased cyber activity from Iran in recent years. Earlier this year, security vendor FireEye's Mandiant unit reported a major surge in nation-state sponsored threat activity in the country in 2017. The vendor described Iran as the next China based on the extent of state-backed threat activity in the country last year.

Just this week, Palo Alto Networks issued a report on the OilRig Group, a previously known threat actor that is also based in Iran. Researchers spotted multiple attacks by OilRig between May and June 2018 directed at a technology services provider and a government organization. The attacks delivered a backdoor designed to help the threat actors steal data from the targeted victims.

Leafminer Living Off the Land

At a high-level, Leafminer's tactics, techniques and procedures (TTP) are somewhat similar to the so-called "living-off-the land" approach that many threat actors have begun adopting, Symantec said. In addition to custom tools, the threat actor has shown a proclivity for using tools and techniques that are publicly available or have been used by others.

For instance, one of the tools that Leafminer has been using for collecting credentials is a rebranded version of the well-known Mimikatz post-exploitation tool. The method the attackers have adopted to deploy Mimikatz on compromised systems similarly is a technique known as Process Doppelganging that security vendor enSilo demonstrated at Black Hat Europe last year.

Leafminer has also taken advantage of the NSA's Fuzzbunch toolkit that the Shadow Brokers group leaked last year, to develop exploit payload for delivering custom malware targeted at vulnerabilities in Windows SMB server, Symantec said.

Leafminer's malware toolkit includes at least two custom malware products — a backdoor called Sorgu for enabling remote access to a compromised system and Imecab, a Trojan for establishing a persistent access account on an infected system.

The hacking team has been mainly using three techniques to gain initial access to a targeted network: watering hole attacks via compromised Web servers; scans for vulnerabilities in network services; and dictionary attacks against network service logins. In keeping with the group's habit of borrowing techniques and tactics used by others, the approach that Leafminer has been using in its watering hole attacks are similar to that employed by the Dragonfly APT group, according to Symantec.

The tactics employed by threat groups like Leafminer highlight the need for organizations to pay attention not just to new and emerging threats but to previously known ones as well.

"Enterprises should take note of the fact that a foreign adversary is relying primarily on existing vulnerabilities and publicly available tools to target hundreds of organizations in multiple verticals, with a degree of success," Thakur says.

In many cases, organizations can mitigate most of their exposure to such threats simply by applying known security practices, such as keeping systems updated and properly patched where possible, Thakur says.

Related Content:

 

 

 

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Firms Improve Threat Detection but Face Increasingly Disruptive Attacks
Robert Lemos, Contributing Writer,  2/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8813
PUBLISHED: 2020-02-22
graph_realtime.php in Cacti 1.2.8 allows remote attackers to execute arbitrary OS commands via shell metacharacters in a cookie, if a guest user has the graph real-time privilege.
CVE-2020-9039
PUBLISHED: 2020-02-22
Couchbase Server 4.x and 5.x before 6.0.0 has Insecure Permissions for the projector and indexer REST endpoints (they allow unauthenticated access).
CVE-2020-8860
PUBLISHED: 2020-02-22
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Samsung Galaxy S10 Firmware G973FXXS3ASJA, O(8.x), P(9.0), Q(10.0) devices with Exynos chipsets. User interaction is required to exploit this vulnerability in that the target must answer a phone call. T...
CVE-2020-8861
PUBLISHED: 2020-02-22
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DAP-1330 1.10B01 BETA Wi-Fi range extenders. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of HNAP login requests. The issue ...
CVE-2020-8862
PUBLISHED: 2020-02-22
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DAP-2610 Firmware v2.01RC067 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of passwords. The issue results from the ...