Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

4/27/2017
02:10 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Iranian Hackers Believed Behind Massive Attacks on Israeli Targets

OilRig aka Helix Kitten nation-state group leveraged Microsoft zero-day bug in targeted attacks.

A massive targeted cyber espionage campaign against major Israeli institutions and government officials underscores just how far an Iranian nation-state hacking machine has come.

The Israeli Cyber Defense Authority yesterday announced that it believes Iran was behind the a series of targeted attacks against some 250 individuals between April 19 and 24 in government agencies, high-tech companies, medical organizations, and educational institutions including the renowned Ben-Gurion University. The attackers – whom security experts say are members of the so-called OilRig aka Helix Kitten aka NewsBeef nation-state hacking group in Iran -- used stolen email accounts from Ben-Gurion to send their payload to victims.

"This is the largest and most sophisticated attack they've [OilRig] ever performed," says Michael Gorelik, vice president of R&D for Morphisec, who studied the attacks and confirms that the final stage was thwarted for the most part. "It was a major information-gathering [operation]," he says.

OilRig has been rapidly maturing since it kicked off operations around 2015. The attack campaign against Israeli targets employed the just-patched Microsoft CVE-2017-0199 remote code execution vulnerability in the Windows Object Linking and Embedding (OLE) application programming interface. This flaw had been weaponized in attacks prior to the patch, including Dridex banking Trojan and botnet attacks, and in at least one other cyber espionage campaign.

This technique by OilRig is a step up from the group's previous MO of using malicious macros to spread malware, where it employed Microsoft Excel and Word files that required the victim to enable macros to get infected with malware. But this time around, no macros were necessary: the files contained an exploit via an embedded link packed with an HTML executable, according to researchers at Israeli security firm Morphisec who studied the new attacks.

OilRig managed to catch the victims during the patching window between when Microsoft issues a security update and organizations actually roll out the patch, security experts say. "The most important difference is that the use of macros was exchanged with a vulnerability exploit. With their ability to set up the attack in a relatively short time, the threat actors could correctly speculate that their window of opportunity between patch release and patch rollout was still open," according to Morphisec's blog post today.

The hacking group also was likely behind an attack campaign in January that employed a phony Juniper Networks VPN portal as well as phony websites purporting to be the University of Oxford, from which the attackers dropped malware.

Adam Meyers, vice president of intelligence at CrowdStrike, which has named this Iranian hacker group Helix Kitten, says the group has been advanced for some time. "There's this misconception that they weren't sophisticated before," he says. "This group has been active since 2015 and gone after aviation, energy, financial, and government" targets in various regions and countries, including the United Arab Emirates, Turkey, and Qatar, he says.

OilRig/Helix Kitten was not the first attack group to weaponize the Microsoft CVE-2017-0199 remote code execution vulnerability before it was patched, he notes, pointing to attacks in Ukraine, China, and in the US earlier this year. "It's unusual to see multiple threat actors pick up" a zero-day, he says, which could hint that of an 0day broker selling it to multiple "customers."

Meantime, Morphisec's Gorelik says in the latest round of attacks, OilRig employed a customized version of the open-source Mimikatz tool, which gives hackers access to user credentials in the Windows Local Security Authority Subsystem Service.

OilRig is among the ranks of nation-state gangs using open-source hacking tools. Kurt Baumgartner, principal security researcher for Kaspersky Lab's Global Research and Analysis Team, says OilRig, which Kaspersky calls NewsBeef, in the past year has relied heavily on open-source hacking tools, namely  BeEF for exploiting holes in browsers; Unicorn for PowerShell-type attacks; and on Pupy, for planting a remote administration tool, or RAT. That's a far cry from its earlier days, when it relied on social engineering accounts to target victims. "NewsBeef is not well-resourced, so this enables them to up their game," he says.

Politics 

Most of Iran's targets over the past few months have been in the Middle East – namely its nemesis Saudi Arabia – but this pivot to Israel should be a red flag to other nations embroiled in geopolitical conflict with Iran, such as the US, security experts say.

Tom Kellermann, CEO of Strategic Cyber Ventures, says the attacks indeed illustrate how Iran's nation-state hacking machine has evolved and advanced. He attributes this transformation to Russian advisors assisting Iranian hackers. Look for OilRig to go West soon, too, he says.

"Oilrig will tendril West to the USA due to the Secretary of State and President's visceral statements on Iran over that past month. The Iranians are not alone, as the Russian Pawn Storm [nation-state hacking] campaign will dramatically ratchet up due to tensions with US and NATO per the Baltics and the French election," he says.

Their attacks also may be more destructive, including data-wiping: "To this point these actors will be more inclined to burn the evidence and house … [the] network via destructive counter-IR [incident response] 'integrity attacks,'" which could hamper IR efforts and investigations, he says. "I am concerned that watering-hole attacks will increase, delivering 0days and wiper malware."

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where Dark Reading editors and some of the industry's top cybersecurity experts will share the latest data security trends and best practices.]

Related Content:

 

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
4/28/2017 | 1:16:41 PM
Re: State hacking
Yes--they had been underestimated for some time now, but that is changing.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/28/2017 | 11:15:05 AM
0 days
 

Zero days become more effective and destructive, that is what hackers are after since companies are able to close vulnerability quickly anymore.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/28/2017 | 11:13:06 AM
Word/Excel?
Everything starts with the end users apparently, Microsoft may need to do a more security test then what it is doing now obviously. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/28/2017 | 11:09:40 AM
State hacking
It sounds like Iranians are strong when it comes to state hacking. 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25747
PUBLISHED: 2020-09-25
The Telnet service of Rubetek RV-3406, RV-3409, and RV-3411 cameras (firmware versions v342, v339) can allow a remote attacker to gain access to RTSP and ONFIV services without authentication. Thus, the attacker can watch live streams from the camera, rotate the camera, change some settings (brightn...
CVE-2020-25748
PUBLISHED: 2020-09-25
A Cleartext Transmission issue was discovered on Rubetek RV-3406, RV-3409, and RV-3411 cameras (firmware versions v342, v339). Someone in the middle can intercept and modify the video data from the camera, which is transmitted in an unencrypted form. One can also modify responses from NTP and RTSP s...
CVE-2020-25749
PUBLISHED: 2020-09-25
The Telnet service of Rubetek cameras RV-3406, RV-3409, and RV-3411 cameras (firmware versions v342, v339) could allow an remote attacker to take full control of the device with a high-privileged account. The vulnerability exists because a system account has a default and static password. The Telnet...
CVE-2020-24592
PUBLISHED: 2020-09-25
Mitel MiCloud Management Portal before 6.1 SP5 could allow an attacker, by sending a crafted request, to view system information due to insufficient output sanitization.
CVE-2020-24593
PUBLISHED: 2020-09-25
Mitel MiCloud Management Portal before 6.1 SP5 could allow a remote attacker to conduct a SQL Injection attack and access user credentials due to improper input validation.