<?xml version="1.0" encoding="UTF-8"?><rss version="2.0" xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:wfw="http://wellformedweb.org/CommentAPI/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:sy="http://purl.org/rss/1.0/modules/syndication/" xmlns:slash="http://purl.org/rss/1.0/modules/slash/" > <channel> <title>Cyber – ClearSky Cyber Security</title> <atom:link href="https://www.clearskysec.com/tag/cyber/feed/" rel="self" type="application/rss+xml" /> <link>https://www.clearskysec.com</link> <description>ClearSky Cyber Security</description> <lastBuildDate>Thu, 17 Dec 2020 08:31:31 +0000</lastBuildDate> <language>en-US</language> <sy:updatePeriod> hourly </sy:updatePeriod> <sy:updateFrequency> 1 </sy:updateFrequency> <generator>https://wordpress.org/?v=6.7.2</generator> <image> <url>https://www.clearskysec.com/wp-content/uploads/2018/02/cropped-favicon512x512_3-2-32x32.png</url> <title>Cyber – ClearSky Cyber Security</title> <link>https://www.clearskysec.com</link> <width>32</width> <height>32</height> </image> <item> <title>Pay2Kitten – Fox Kitten 2</title> <link>https://www.clearskysec.com/pay2kitten/</link> <dc:creator><![CDATA[ClearSky Research Team]]></dc:creator> <pubDate>Thu, 17 Dec 2020 07:30:00 +0000</pubDate> <category><![CDATA[cat2]]></category> <category><![CDATA[cyber attack]]></category> <category><![CDATA[Cyber-Crime]]></category> <category><![CDATA[Threat actors]]></category> <category><![CDATA[APT]]></category> <category><![CDATA[Campaigns]]></category> <category><![CDATA[Cyber]]></category> <category><![CDATA[Fox Kitten]]></category> <category><![CDATA[Iran]]></category> <guid isPermaLink="false">https://www.clearskysec.com/?p=3440</guid> <description><![CDATA[During the past four months a wave of cyber-attacks has been targeting Israeli companies. The attacks are conducted by different means and target a range of sectors. We estimate with medium to high confidence that Pay2Key is a new operation conducted by Fox Kitten, an Iranian APT group that began a new wave of attacks […]]]></description> <content:encoded><![CDATA[ <p>During the past four months a wave of cyber-attacks has been targeting Israeli companies. The attacks are conducted by different means and target a range of sectors. <strong>We estimate with medium to high confidence that Pay2Key is a new operation conducted by Fox Kitten</strong>, an Iranian APT group that began a new wave of attacks in November-December 2020 that entailed dozens of Israeli companies.</p> <p>Read the full report: <a href="https://www.clearskysec.com/wp-content/uploads/2020/12/Pay2Kitten.pdf" target="_blank" rel="noreferrer noopener">Pay2Kitten – Fox Kitten 2</a></p> <figure class="wp-block-image size-large"><img fetchpriority="high" decoding="async" width="550" height="432" src="https://www.clearskysec.com/wp-content/uploads/2020/12/Fox-kitten-Timeline-550x432.png" alt="" class="wp-image-3446" srcset="https://www.clearskysec.com/wp-content/uploads/2020/12/Fox-kitten-Timeline-550x432.png 550w, https://www.clearskysec.com/wp-content/uploads/2020/12/Fox-kitten-Timeline-300x236.png 300w, https://www.clearskysec.com/wp-content/uploads/2020/12/Fox-kitten-Timeline-768x604.png 768w, https://www.clearskysec.com/wp-content/uploads/2020/12/Fox-kitten-Timeline.png 809w" sizes="(max-width: 550px) 100vw, 550px" /><figcaption><em>Fox Kitten timeline – 2017-2020</em></figcaption></figure> <p>The attacker ”Modus Operndi” was to execute a Ransomware attack, potentially to mislead the victim, penetrating to companies’ internal networks, encrypt servers and workstations, steal and leak information, conduct “supply chain attacks” by compromise companies using obtained accessibility or information in breached companies. In October-November we observed a wave of cyber-attacks on industrial companies, and insurance companies. In November we observed attacks on logistics companies. </p> <p><strong>We estimate that this campaign is part of the ongoing cyber confrontation between Israel and Iran, with the most recent wave of attacks causing significant damage to some of the affected companies</strong>. The entry vector mostly consists of well-known vulnerabilities covered in our Fox Kitten reports throughout the year. The attacks themselves or the abuse of successful attacks to compromise additional companies or service providers were conducted using obfuscating means, making the discovery of the attack more difficult.</p> <figure class="wp-block-image size-large"><img decoding="async" width="550" height="290" src="https://www.clearskysec.com/wp-content/uploads/2020/12/Pay2Kitten-Timeline-550x290.png" alt="" class="wp-image-3445" srcset="https://www.clearskysec.com/wp-content/uploads/2020/12/Pay2Kitten-Timeline-550x290.png 550w, https://www.clearskysec.com/wp-content/uploads/2020/12/Pay2Kitten-Timeline-300x158.png 300w, https://www.clearskysec.com/wp-content/uploads/2020/12/Pay2Kitten-Timeline-768x405.png 768w, https://www.clearskysec.com/wp-content/uploads/2020/12/Pay2Kitten-Timeline.png 832w" sizes="(max-width: 550px) 100vw, 550px" /><figcaption><em>Pay2Key timeline – June 2020-December 2020</em></figcaption></figure> <p><b>We estimate with a medium level of confidence that this campaign (Pay2Key) is part of Iran information warfare <strong><strong>aimed </strong></strong>to create </b><strong><strong>panic to Israel and in other countries world-wide</strong></strong>. The ransomware group pay2key publicly threatened Israel, this might indicate that this operation is <strong>only a propaganda campaign to cause fear with diversion from the real adversary</strong>. That would explain the decision to leak the data instead of just demanding ransomware and can explain why this actor chose to leak the data via famous social media platforms and to include threats directed to Israel.</p> <p>Analyzing the recent attacks conducted by the threat actor Pay2Key led us to the assessment on the overlaps between Fox Kitten to Pay2Key. In the following chapter, we examine the tool set used by Pay2Key group and compare it to Fox Kitten tool set. In the last chapter of the report, we supply a detailed comparison between the two groups based both on technical and thematic analysis.</p> ]]></content:encoded> </item> <item> <title>Operation Quicksand</title> <link>https://www.clearskysec.com/operation-quicksand/</link> <dc:creator><![CDATA[ClearSky Research Team]]></dc:creator> <pubDate>Thu, 15 Oct 2020 15:00:13 +0000</pubDate> <category><![CDATA[cat2]]></category> <category><![CDATA[cyber attack]]></category> <category><![CDATA[Threat actors]]></category> <category><![CDATA[Uncategorized]]></category> <category><![CDATA[CNA]]></category> <category><![CDATA[covid-19]]></category> <category><![CDATA[Cyber]]></category> <category><![CDATA[Destructive]]></category> <category><![CDATA[Iran]]></category> <category><![CDATA[MuddyWater]]></category> <category><![CDATA[Ransomware]]></category> <category><![CDATA[Wiper]]></category> <guid isPermaLink="false">https://www.clearskysec.com/?p=3417</guid> <description><![CDATA[During September 2020, we identified a new campaign targeting many prominent Israeli organizations. The campaign was attributed to the Iranian threat actor ‘MuddyWater’ (also known as TEMP.Zagros, Static Kitten and Seedworm). MuddyWater was previously exposed as a contractor for the IRGC (Islamic Republic Guard Corps). ClearSky and Profero comprehensively researched this campaign. During the campaign, […]]]></description> <content:encoded><![CDATA[ <p>During September 2020, we identified a new campaign targeting many prominent Israeli organizations. The campaign was attributed to the Iranian threat actor ‘MuddyWater’ (also known as TEMP.Zagros, Static Kitten and Seedworm). <strong>MuddyWater was previously exposed as a contractor for the IRGC (Islamic Republic Guard Corps).</strong></p> <p><strong>ClearSky and Profero</strong> comprehensively researched this campaign. During the campaign, the group attempted to install a variant of the “PowGoop”, a malicious replacement to Google update dll. Based on PaloAlto report<a href="#_ftn1">[1]</a>, “PowGoop” is a loader for a variant of Thanos ransomware with destructive capabilities.</p> <p>Read the full report: <a href="https://www.clearskysec.com/wp-content/uploads/2020/10/Operation-Quicksand.pdf">Operation Quicksand – MuddyWater’s Offensive Attack Against Israeli Organizations</a></p> <p><strong>We assess that the group is attempting to employ destructive attacks (the likes of the NotPetya attack from 2017), via a disguised as ransomware attacks</strong>. Although we didn’t see execution of the destruction in the wild, due to the presence of the destructive capabilities, the attribution to nation-state sponsored threat actor, and the realization of this vector in the past, a destructive purpose is more likely than a ransomware that is being deployed for financial goals.</p> <p>On September 4<sup>th</sup>, PaloAlto published a report about this destructive variant of Thanos ransomware without attributing it to any known threat actor. However, the organizations that were targeted in the campaign were state-run organizations in the Middle East and North Africa. The loader of this variant dubbed ‘PowGoop’, is a fake Google Update mechanism and was attributed to MuddyWater based on code similarities with the MoriAgent / PudPoul dll loader.</p> <p>In our analysis, we identified two primary attack vectors:</p> <ul class="wp-block-list"><li>The first vector entailed sending a malicious decoy document (PDF or Excel) that communicates over OpenSSL with a malicious C2 server and downloads files, which later deploy the “PowGoop” payload.</li><li>The second vector involves exploiting CVE-2020-0688 and deploying the same payload via aspx file (WebShell). The attacker will create an internal socket tunneling between compromised machines in the network. The attacker used a modified SSF (Socket) for it. Then, the attacker downloads the PowGoop as well. Recently, Microsoft revealed that MuddyWater had been leveraging the ZeroLogon vulnerability as well (CVE-2020-1472)<a href="#_ftn1">[1]</a>.</li></ul> <p>In ‘Operation Quicksand’ we uncovered the first known instance of a potentially destructive attack executed by MuddyWater, focusing on prominent organizations in Israel and in other countries around the world. </p> <div class="wp-block-image"><figure class="aligncenter size-large"><img decoding="async" width="550" height="51" src="https://www.clearskysec.com/wp-content/uploads/2020/10/image-1-550x51.png" alt="" class="wp-image-3424" srcset="https://www.clearskysec.com/wp-content/uploads/2020/10/image-1-550x51.png 550w, https://www.clearskysec.com/wp-content/uploads/2020/10/image-1-300x28.png 300w, https://www.clearskysec.com/wp-content/uploads/2020/10/image-1.png 604w" sizes="(max-width: 550px) 100vw, 550px" /></figure></div> <p>We identified a repetitive PDB path in the networks that were researched containing the word ‘Covic’. This may indicate a <strong>covid-19</strong> inspiration and suggests the possible dates in which MuddyWater might have developed the malware.</p> <hr class="wp-block-separator"/> <p><a href="#_ftnref1">[1]</a> <a href="https://www.zdnet.com/article/microsoft-says-iranian-hackers-are-exploiting-the-zerologon-vulnerability/">https://www.zdnet.com/article/microsoft-says-iranian-hackers-are-exploiting-the-zerologon-vulnerability/</a></p> <hr class="wp-block-separator"/> <p><a href="#_ftnref1">[1]</a> <a href="https://unit42.paloaltonetworks.com/thanos-ransomware/">https://unit42.paloaltonetworks.com/thanos-ransomware/</a></p> ]]></content:encoded> </item> <item> <title>ClearSky Q1 summary report</title> <link>https://www.clearskysec.com/q1-2020/</link> <dc:creator><![CDATA[ClearSky Research Team]]></dc:creator> <pubDate>Thu, 30 Apr 2020 08:33:31 +0000</pubDate> <category><![CDATA[Uncategorized]]></category> <category><![CDATA[2020]]></category> <category><![CDATA[covid-19]]></category> <category><![CDATA[Cyber]]></category> <guid isPermaLink="false">https://www.clearskysec.com/?p=3310</guid> <description><![CDATA[We have published our quarterly report for the first quarter of 2020. We mark the outbreak of the COVID-19 virus as a systematic change for most businesses around the world. The immense pressure felt by many companies and organizations has the potential of evolving into “The perfect storm” in terms of ripe conditions for cyber-attacks, combining […]]]></description> <content:encoded><![CDATA[ <p>We have published our quarterly report for the first quarter of 2020.</p> <p>We mark the outbreak of the COVID-19 virus as a systematic change for most businesses around the world. The immense pressure felt by many companies and organizations has the potential of evolving into “The perfect storm” in terms of ripe conditions for cyber-attacks, combining the following elements:</p> <p>· Increased attack surface of organizations due to opening new remote access to core systems for workers and vendors.</p> <p>· Mounting motivations for theft, sabotage or fraud a result of increased economic pressure.</p> <p>· Bypassing or lowering security controls for user credentials and privilege management systems in order to meet business demands and remote work.</p> <p>· Risk of diminishing abilities of security teams as a result of increased workload and decrease in available work power.</p> <p>· HR shortage and objective difficulties of the new remote work model.</p> <p>It appears that many businesses will require a lengthy recuperation period after the lockdown period ends. The short- and long-term repercussions are still unknown, and it is unclear whether additional outbreak waves will arrive, committing us to further lockdowns, specifically in the third fourth quarter of the year, when a new wave of winter-time outbreak is expected to occur.</p> <p>Within this document we focus on summarizing Q1 strictly from the cybersecurity perspective and analyzing the alterations to existing cyber threats following the Covid-19 outbreak, alongside new emerging threats, in order to assist you in preparations and decision making in the cyber arena.</p> <p></p> <p><strong>Read the full Report:</strong> <a href="https://www.clearskysec.com/wp-content/uploads/2020/04/ClearSky_Q1_summary_report.pdf">ClearSky Q1 Summary report</a></p> ]]></content:encoded> </item> <item> <title>Fox Kitten – Widespread Iranian Espionage-Offensive Campaign</title> <link>https://www.clearskysec.com/fox-kitten/</link> <dc:creator><![CDATA[ClearSky Research Team]]></dc:creator> <pubDate>Sun, 16 Feb 2020 14:00:00 +0000</pubDate> <category><![CDATA[Campaigns]]></category> <category><![CDATA[cat2]]></category> <category><![CDATA[cyber attack]]></category> <category><![CDATA[APT33]]></category> <category><![CDATA[APT34]]></category> <category><![CDATA[Cyber]]></category> <category><![CDATA[OilRig]]></category> <guid isPermaLink="false">https://www.clearskysec.com/?p=3284</guid> <description><![CDATA[During the last quarter of 2019, ClearSky research team has uncovered a widespread Iranian offensive campaign which we call “Fox Kitten Campaign”; this campaign is being conducted in the last three years against dozens of companies and organizations in Israel and around the world. Read the full Report: Fox Kitten – Widespread Iranian Espionage-Offensive Campaign […]]]></description> <content:encoded><![CDATA[ <p>During the last quarter of 2019, ClearSky research team has uncovered a widespread Iranian offensive campaign which we call “Fox Kitten Campaign”; this campaign is being conducted in the last three years against dozens of companies and organizations in Israel and around the world. </p> <p> <strong>Read the full Report: <a href="https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign.pdf">Fox Kitten – Widespread Iranian Espionage-Offensive Campaign</a></strong></p> <p>Though the campaign, the attackers succeeded in gaining access and persistent foothold in the networks of numerous companies and organizations from the IT, Telecommunication, Oil and Gas, Aviation, Government, and Security sectors around the world.</p> <figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="542" height="343" src="https://www.clearskysec.com/wp-content/uploads/2020/02/image-1.png" alt="" class="wp-image-3288" srcset="https://www.clearskysec.com/wp-content/uploads/2020/02/image-1.png 542w, https://www.clearskysec.com/wp-content/uploads/2020/02/image-1-300x190.png 300w" sizes="auto, (max-width: 542px) 100vw, 542px" /></figure> <p><strong>We estimate the campaign revealed in this report to be among Iran’s most continuous and comprehensive campaigns revealed until now</strong>. Aside from malware, the campaign enfolds an entire infrastructure dedicated to ensuring the long-lasting capability to control and fully access the targets chosen by the Iranians. The revealed campaign was used as a reconnaissance infrastructure; however, it can also be used as a platform for spreading and activating destructive malware such as ZeroCleare and Dustman, tied to APT34.</p> <p>During our analysis, we have found an overlap, with medium-high probability, between this campaign’s infrastructure and the activity of an Iranian offensive group APT34-OilRig. Additionally, we have identified, with medium probability, a connection between this campaign and the APT33-Elfin and APT39-Chafer groups. The campaign was first revealed by Dragos, named “Parisite” and attributed to APT33; we call the comprehensive campaign revealed in this report “Fox Kitten”.</p> <p>We assess with a medium probability that the Iranian offensive groups (APT34 and APT33) have been working together since 2017, though the infrastructure that we reveal, vis-à-vis a large number of companies in Israel and around the world.</p> <p>The campaign infrastructure was used to:</p> <ul class="wp-block-list"><li>Develop and maintain access routes to the targeted organizations</li><li>Steal valuable information from the targeted organizations</li><li>Maintain a long-lasting foothold at the targeted organizations</li><li>Breach additional companies through supply-chain attacks</li></ul> <p>The campaign was conducted by using a variety of offensive tools, most of which open-source code-based and some – self-developed.</p> <figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="531" height="301" src="https://www.clearskysec.com/wp-content/uploads/2020/02/image-2.png" alt="" class="wp-image-3289" srcset="https://www.clearskysec.com/wp-content/uploads/2020/02/image-2.png 531w, https://www.clearskysec.com/wp-content/uploads/2020/02/image-2-300x170.png 300w" sizes="auto, (max-width: 531px) 100vw, 531px" /></figure> <h3 class="wp-block-heading">Our main insights:</h3> <ul class="wp-block-list"><li>The Iranian APT groups have succeeded to penetrate and steal information from dozens of companies around the world in the past three years.</li><li>The most successful and significant attack vector used by the Iranian APT groups in the last three years has been the exploitation of known vulnerabilities in systems with unpatched VPN and RDP services, in order to infiltrate and take control over critical corporate information storages.</li><li>This attack vector is not used exclusively by the Iranian APT groups; it became the main attack vector for cybercrime groups, ransomware attacks, and other state-sponsored offensive groups.</li><li>We assess this attack vector to be significant also in 2020 apparently by exploiting new vulnerabilities in VPNs and other remote systems (such as the latest one existing in Citrix).</li><li>Iranian APT groups have developed good technical offensive capabilities and are able to exploit 1-day vulnerabilities in relatively short periods of time, starting from several hours to a week or two.</li><li>Since 2017, we identify Iranian APT groups focusing on IT companies that provide a wide range of services to thousands of companies. Breaching those IT companies is especially valuable because through them one can reach the networks of additional companies.</li><li>After breaching the organizations, the attackers usually maintain a foothold and operational redundancy by installing and creating several more access points to the core corporate network. As a result, identifying and closing one access point does not necessarily deny the capability to carry on operations inside the network.</li><li>We assess with a medium-high probability that Iranian APT groups (APT34 and APT33) share attack infrastructures. Furthermore, it can be one group that was artificially marked in recent years as two or three separate APT groups.</li><li>The time needed to identify an attacker on a compromised network is long and varies between months to not at all. The existing monitoring capability for organizations to identify and block an attacker that entered through remote communication tools is difficult to impossible.</li></ul> <p>We would like to thank <strong>researchers from Dragos </strong>who found the first signs of the campaign (which they call “Parisite”) and shared with us valuable information that helped us reveal the whole Fox Kitten campaign presented in this report.</p> <p></p> ]]></content:encoded> </item> <item> <title>The Kittens Are Back in Town 2 – Charming Kitten Campaign Keeps Going on, Using New Impersonation Methods</title> <link>https://www.clearskysec.com/the-kittens-are-back-in-town-2/</link> <dc:creator><![CDATA[ClearSky Research Team]]></dc:creator> <pubDate>Mon, 07 Oct 2019 16:56:55 +0000</pubDate> <category><![CDATA[Campaigns]]></category> <category><![CDATA[cat2]]></category> <category><![CDATA[cyber attack]]></category> <category><![CDATA[Charming Kitten]]></category> <category><![CDATA[Cyber]]></category> <category><![CDATA[Iran]]></category> <category><![CDATA[Microsoft]]></category> <category><![CDATA[Political Cyber]]></category> <category><![CDATA[Spear Phishing]]></category> <guid isPermaLink="false">https://www.clearskysec.com/?p=3211</guid> <description><![CDATA[On the 15th of September 2019, we have published a report[1] about a sharp increase in Charming Kitten attacks against researchers from the US, Middle East, and France, focusing on Iranian academic researchers, Iranian dissidents in the US. In our last report, we exposed a new cyber espionage campaign that was conducted in July 2019. […]]]></description> <content:encoded><![CDATA[ <p>On the 15<sup>th</sup> of September 2019, we have published a report<a href="#_ftn1">[1]</a> about a sharp increase in Charming Kitten attacks against researchers from the US, Middle East, and France, focusing on Iranian academic researchers, Iranian dissidents in the US. In our last report, we exposed a new cyber espionage campaign that was conducted in July 2019. Since then, we observed another wave of these attacks, leveraging new impersonating vectors and IOCs.</p> <p>Until these days, Iran was not known as a country who tends to interfere in elections around the world. From a historical perspective, this type of cyber activity had been attributed mainly to the Russian APT groups such as APT28 (known as Fancy Bear). The group is infamous for hacking American Democratic National Committee emails and targeting German and French campaign members, in an attempt to circumvent the elections in the US, Germany, and France. </p> <p>Microsoft’s October announcement exposes, for the first time, that <strong>Charming Kitten, an Iranian APT group, plays a role in the domain of cyber-attacks for the purpose of interfering with democratic procedures.</strong></p> <p> On 4<sup>th</sup> of October 2019<a href="#_ftn1">[2]</a>, Microsoft has announced that Phosphorus (known as Charming Kitten) attempted to attack email accounts that are associated with the following targets: U.S. presidential campaign, current, and former U.S. government officials, journalists covering global politics, and prominent Iranians living outside Iran. These spear-phishing attacks were conducted by Charming Kitten in August and September. <strong>We evaluate in a medium-high level of confidence, that Microsoft’s discovery and our findings in our previous and existing reports is a congruent operation.</strong></p> <hr class="wp-block-separator"/> <p><strong>Read the full report: </strong><a href="https://www.clearskysec.com/wp-content/uploads/2019/10/The-Kittens-Are-Back-in-Town-2-1.pdf">The Kittens Are Back in Town 2</a></p> <hr class="wp-block-separator"/> <p>Our evaluation based on the following issues:</p> <ol class="wp-block-list"><li><strong>Same victim profiles</strong> – In both cases, the victims were individuals of interest to Iran in the fields of academic research, human rights, opposition to the Islamic Republic of Iran’s regime (such as NIAC) and journalists. Although the congruent is not exactly similar, our sample is mainly based on Israeli victims.</li><li><strong>Time overlapping</strong> – In our latest report, we mentioned that we have observed an escalation of the attacks in July-August 2019. In their announcement, Microsoft mentioned that the attacks occurred on ‘In a 30-day period between August and September’.</li><li><strong>Similar attack vectors</strong> – In both cases, Charming Kitten used similar attack vectors which are:<ol><li>Password recovery impersonation of the secondary email belonging to the victims in both cases.</li><li>Both attack vectors used spear-phishing emails in order to target Microsoft, Google and Yahoo services. </li><li>In our research, we identified a spear-phishing attack via SMS messages, indicating that Charming Kitten gathers phone numbers of the relevant victim. Microsoft found that Charming Kitten gathers phone numbers for password recovery and two-factor authentications of the relevant victims to gain control of their email accounts.</li></ol></li></ol> <p>In this report, we uncovered four new spear-phishing methods used by this group, alongside with new indicators of this operation. </p> <p><strong>Indicators of compromise are available for subscribers of the ClearSky threat intelligence service in MISP events 1745.</strong><br><br></p> <hr class="wp-block-separator"/> <p><a href="#_ftnref1">[1]</a> <a href="https://www.clearskysec.com/the-kittens-are-back-in-town/">https://www.clearskysec.com/the-kittens-are-back-in-town/</a> </p> <p> <a href="https://www.clearskysec.com/wp-admin/post.php?post=3211&action=edit#_ftnref1">[2]</a> <a href="https://blogs.microsoft.com/on-the-issues/2019/10/04/recent-cyberattacks-require-us-all-to-be-vigilant/">https://blogs.microsoft.com/on-the-issues/2019/10/04/recent-cyberattacks-require-us-all-to-be-vigilant/</a> <br></p> <hr class="wp-block-separator"/> <p><br></p> <p><strong><br></strong></p> ]]></content:encoded> </item> <item> <title>The Kittens Are Back in Town Charming Kitten – Campaign Against Academic Researchers</title> <link>https://www.clearskysec.com/the-kittens-are-back-in-town/</link> <dc:creator><![CDATA[ClearSky Research Team]]></dc:creator> <pubDate>Sun, 15 Sep 2019 14:11:28 +0000</pubDate> <category><![CDATA[cat2]]></category> <category><![CDATA[Incidents]]></category> <category><![CDATA[Threat actors]]></category> <category><![CDATA[Charming Kitten]]></category> <category><![CDATA[Cyber]]></category> <category><![CDATA[Iran]]></category> <category><![CDATA[Phishing]]></category> <guid isPermaLink="false">https://www.clearskysec.com/?p=3184</guid> <description><![CDATA[In 2019 ClearSky Cyber Security observed a sharp increase in Charming Kitten attacks, after an absence of a few months and after 2019 Microsoft official complaint against the group for “establishing an internet-based cybertheft operation referred to as ‘Phosphorus’“. Read the full report: The Kittens Are Back in Town Charming Kitten – Campaign Against Academic […]]]></description> <content:encoded><![CDATA[ <p>In 2019 ClearSky Cyber Security observed a sharp increase in Charming Kitten attacks, after an absence of a few months and after 2019 Microsoft official complaint against the group for “establishing an internet-based cybertheft operation referred to as ‘Phosphorus’“.</p> <p><strong>Read the full report:</strong> <a href="https://www.clearskysec.com/wp-content/uploads/2019/09/The-Kittens-Are-Back-in-Town-Charming-Kitten-Sep-2019.pdf">The Kittens Are Back in Town Charming Kitten – Campaign Against Academic Researchers</a></p> <p>It appears that the group has initiated a new cyber espionage campaign comprised of two stages, pointing at two different targets:</p> <ul class="wp-block-list"><li>Non-Iranian Researchers from the US, Middle East, and France, focusing on academic research of Iran.</li><li>Iranian dissidents in the US.</li></ul> <p>Despite the considerable unrest in the Iranian cybersphere, it appears that similarly to the MuddyWater APT, Charming Kitten was unaffected<a href="#_ftn1">[1]</a>.</p> <p>In August, the campaign has progressed, and unlike July, it seems like the APT group is now expanding its activities toward influential public figures around the world, rather than academic researchers state organizations. Additionally, in August 2019, we found that the group had begun adding a tracker to their email correspondences, enabling them to follow an email message forwarded to additional accounts and obtain geolocation information.<br></p> <p><strong>Indicators of compromise are available for subscribers of the ClearSky threat intelligence service in MISP events 1682 and 1438.</strong><br></p> <hr class="wp-block-separator"/> <p><a href="#_ftnref1">[1]</a> <a href="https://www.clearskysec.com/wp-content/uploads/2019/06/Clearsky-Iranian-APT-group-%E2%80%98MuddyWater%E2%80%99-Adds-Exploits-to-Their-Arsenal.pdf">https://www.clearskysec.com/wp-content/uploads/2019/06/Clearsky-Iranian-APT-group-%E2%80%98MuddyWater%E2%80%99-Adds-Exploits-to-Their-Arsenal.pdf</a></p> ]]></content:encoded> </item> <item> <title>2019 H1 Cyber Events Summary Report</title> <link>https://www.clearskysec.com/2019-h1-cyber-events-summary-report/</link> <dc:creator><![CDATA[ClearSky Research Team]]></dc:creator> <pubDate>Tue, 13 Aug 2019 09:33:09 +0000</pubDate> <category><![CDATA[General]]></category> <category><![CDATA[Threat actors]]></category> <category><![CDATA[2019]]></category> <category><![CDATA[Cyber]]></category> <guid isPermaLink="false">https://www.clearskysec.com/?p=3171</guid> <description><![CDATA[We are happy to present our half-year report summarizing cyber events for the first half of 2019. This report provides an in-depth review of significant trends, as well as major attack events in the cyber landscape – a combined effort of our intelligence research, threat-hunting and analyst teams. Read the full report: 2019 H1 Cyber […]]]></description> <content:encoded><![CDATA[ <p>We are happy to present our half-year report summarizing cyber events for the first half of 2019. This report provides an in-depth review of significant trends, as well as major attack events in the cyber landscape – a combined effort of our intelligence research, threat-hunting and analyst teams. </p> <p><strong>Read the full report: </strong><a href="https://www.clearskysec.com/wp-content/uploads/2019/08/ClearSky-2019-H1-Cyber-Events-Summary-Report.pdf">2019 H1 Cyber Events Summary Report</a></p> <p></p> <figure class="wp-block-image"><img loading="lazy" decoding="async" width="550" height="330" src="https://www.clearskysec.com/wp-content/uploads/2019/08/H12019-550x330.jpg" alt="" class="wp-image-3172" srcset="https://www.clearskysec.com/wp-content/uploads/2019/08/H12019-550x330.jpg 550w, https://www.clearskysec.com/wp-content/uploads/2019/08/H12019-300x180.jpg 300w, https://www.clearskysec.com/wp-content/uploads/2019/08/H12019-768x461.jpg 768w, https://www.clearskysec.com/wp-content/uploads/2019/08/H12019.jpg 794w" sizes="auto, (max-width: 550px) 100vw, 550px" /></figure> <h2 class="wp-block-heading">Preface </h2> <p>In recent months we have observed multiple targeted ransomware attacks against major companies, including international corporations – undoubtfully, this is the most significant attack vector of the first half of 2019. The main penetration vector in these attacks includes the use of decoy email carrying malicious content and RDP (Remote Desktop Protocol) attack. In our assessment, this year RDP has become a significant vector through which computer systems are infected worldwide.</p> <p>The most notable example of targeted ransomware operation is the Norsk Hydro Attack which we classified as the most significant attack of the first half of 2019. Forensic investigations covering the attack on Norsk Hydro, as well as other companies who suffered from similar incidents, revealed an extensive attack infrastructure aided by sophisticated, evasive tools and designated zero-day vulnerabilities. And indeed, the LockerGoga ransomware infrastructure has managed to infiltrate hundreds of companies worldwide and extort tens of millions of USD. Norsk Hydro alone stated that the damage caused by the attack is estimated at around 75 million USD.</p> <p><strong>Significant increase in targeted ransomware attacks on large companies and organizations globally</strong></p> <p>Behind several of these attacks are nation-state actors that execute ransomware attacks with the end goal of causing harm rather than financial gain. Several of the most notable ransomware attacks so far are – Norsk Hydro, ASCO, SonAngol and Verint. In contrast to the rising popularity of targeted ransomware, destructive ransomware attacks – in which the files are corrupted without a recovery option – were not reported during the first half of 2019. This could be the result of intense hindering collaborations between agencies worldwide. </p> <p><strong>Increase of BEC (Business Email Compromise) attacks</strong> </p> <p>This type of an attack, in which the attacker traditionally impersonates an executive in the company or a third-party provider, is the most common type of attack globally. According to the latest data from the FBI, as of June 2018, BEC scams have compromised over 12 Billion dollars globally.<a href="#_ftn1">[1]</a> This figure is expected to continue rising in 2019. On the past two months, attackers began leveraging AI (Artificial Intelligence) systems to impersonate senior employees’ voices and execute financial transactions, resulting in immediate losses of millions of euros.</p> <p><strong>M</strong><strong>ore</strong><strong> Attacks against financial institutions</strong></p> <p>In 2019, financial institutes and banking users are still a desirable target for tailored cyber-attacks aimed at financial revenue. However, while the trend continues, we did not see a sharp increase in the attack rate. This appears to be a direct result of the considerable effort and resources invested by the banks in mitigating cyber threat conjunction with attackers targeting more profitable and less secure targets such as crypto-currency platforms. In 2019 these platforms continue suffering hundreds of millions of dollars in losses, being the most targeted financial platform to date. Alongside that, a notable decrease in the rate of attacks targeting the SWIFT system was observed – most likely as a result of the great effort invested by the security industry into protecting these systems.</p> <p><strong>Social media platforms combat the fake news phenomena</strong></p> <p>We have seen over the last six months considerable efforts by social media platforms to identify and take down fake-news sources and actors, by conducting both vast investigative efforts and routine takedown actions, little by little. While these actions don’t fully neutralize the phenomena, they do play a crucial role in raising awareness.</p> <p><strong>Attack attempts against Internet of Things (IoT) systems and SCADA Systems</strong></p> <p>Over the last six months, we have seen an alarming rise of threats to industrial IoT (Internet of Things) or ICS systems. Of note, various threat actors targeting power-grids. The most prominent actors in this regard are the USA and Russia. For example, Triton malware which was used in the attack on the Saudi oil refineries is currently being attributed to Russia</p> <p><strong>Escalation of the Digital Cold War between the US, Russia, and China</strong></p> <p>The recent developments of a “digital cold war” between the US, China, and Russia – amongst others – were a key event on the global cyber arena during the first half of 2019. Political conflicts resulted in immediate actions in the cyber landscape and led to parallel efforts by many power countries to possess designated SCADA malware, as well as the ability to cripple their adversaries’ power facilities in preparation for a time of need. For the first time, Trump administration employees reported that a payload developed in the US was planted in Russia’s power network. </p> <p>One of the most outstanding results of this state is can be seen in the continued weaponization of social media platforms to propagate disinformation on a massive scale, and rapid proliferation of advanced malware. The latter in particular has facilitated new threats against service providers, alongside critical infrastructure.</p> <p>Accordingly, these nations and their allies have begun taking major mitigation actions; be them economic such as embargoes and global trade restrictions, or technological such as new plans to implement an “internet kill-switch”.<a href="#_ftn2">[2]</a> These and other developments are largely reactionary backlash following large-scale campaigns on numerous industries and sectors, including critical infrastructure, large industrial operations, and military organizations.</p> <p><strong>More and more countries are claiming almost direct responsibility for major attacks</strong> </p> <p>This is likely in an attempt to create deterrence and signals the next stage in the digital cold war – “who is a bigger threat/can cause the most amount of damage”. Alongside the deterrence efforts, we continue to see exposures of Critical zero-day vulnerabilities that pose a threat to global computer networks, such as the BlueKeep flaw. We believe that Russia will likely attempt to exploiting these vulnerabilities to execute a massive cyber attack in the vain of NotPetya.</p> <p><strong>Increase in Iranian cyber capabilities alongside the expansion of their cyber operations against foreign countries</strong> </p> <p>With this regard, we also saw Iran expanding its operation into new regions. The increase in Iranian offensive operations in the cyber arena is aligned with the escalation of the conflict between Iran and the United States, concerning the Nuclear deal violation, the US sanctions and more. </p> <p> <strong>Indicators of compromise are available for subscribers of the ClearSky threat intelligence service in MISP events.</strong><br></p> <hr class="wp-block-separator"/> <p><a href="#_ftnref1">[1]</a> https://www.ic3.gov/media/2018/180712.aspx</p> <p><a href="#_ftnref2">[2]</a> https://www.theguardian.com/world/2019/apr/11/russia-passes-bill-internet-cut-off-foreign-servers</p> ]]></content:encoded> </item> </channel> </rss>