Iranian Hackers Deploy ScreenConnect for Espionage Against UAE and Kuwait Government Agencies

February 11, 2021

Recent research reveals that UAE and Kuwait government agencies have fallen victim to a new cyberespionage initiative, likely orchestrated by Iranian threat actors. Attributed to the group known as Static Kitten (also referred to as MERCURY or MuddyWater), Anomali reports that the aim of this operation is to install a remote management tool named ScreenConnect, which was acquired by ConnectWise in 2015, using unique launch parameters and custom properties. Malware samples and URLs have been disguised as communications from the Kuwaiti Ministry of Foreign Affairs and the UAE National Council. Since its emergence in 2017, MuddyWater has been linked to several attacks targeting Middle Eastern nations, actively exploiting the Zerologon vulnerability to launch real-world attacks against significant Israeli organizations. This state-sponsored hacking group is believed to operate under the direction of Iran’s Islamic Revolutionary Guard Corps.

Iranian Hackers Target UAE and Kuwait Government Agencies Using ScreenConnect

Feb 11, 2021

In a recent development, government agencies in the United Arab Emirates (UAE) and Kuwait have fallen victim to a sophisticated cyberespionage campaign, thought to be executed by Iranian threat actors. According to findings from Anomali, the attack is attributed to a group known as Static Kitten, also referred to as MERCURY or MuddyWater. The group’s strategy appears to involve deploying a remote management tool named ScreenConnect, which was acquired by ConnectWise in 2015. This installation is characterized by customized launch parameters and properties, suggesting careful orchestration of the attack to evade detection.

The malicious activity has utilized malware samples and URLs designed to impersonate official platforms, including the Ministry of Foreign Affairs of Kuwait and the UAE National Council. Such tactics highlight a calculated effort to blend into legitimate governmental channels, thereby enhancing the likelihood of successful infiltration.

Static Kitten has established a reputation for targeting Middle Eastern nations since its emergence in 2017. Notably, the group has exploited significant vulnerabilities, including the notorious Zerologon vulnerability, to execute real-world attacks, particularly against notable Israeli organizations. This history indicates a pattern of activity focused on regional adversaries, driven by geopolitical motivations.

The state-sponsored nature of this group suggests it operates under the auspices of Iran’s Islamic Revolutionary Guard Corps. Such affiliation underscores the intricate relationship between state interests and cyber operations, where technological strategies are increasingly employed to achieve national objectives.

In analyzing the potential tactics employed in this cyberattack, it’s worth noting several frameworks within the MITRE ATT&CK Matrix. Initial access likely involved techniques such as phishing or exploiting trusted relationships to deliver the remote management tool. Persistence could have been achieved through the installation of the ScreenConnect software, enabling continuous access to the targeted systems. Moreover, privilege escalation techniques may have been utilized to gain heightened access rights once the initial breach was successful.

As this situation develops, it emphasizes the urgent need for heightened cybersecurity measures among government agencies and organizations within the region. The sophistication of the techniques employed in this attack signals a broader trend in cyber warfare, where advanced tools are leveraged to facilitate espionage and resource extraction in geopolitical contexts. Stakeholders must remain vigilant to protect sensitive information and maintain operational integrity in an increasingly perilous digital landscape.

The emergence of threats such as those posed by Static Kitten reinforces the critical importance of staying informed and proactive in cybersecurity strategies, ensuring businesses are equipped to contend with evolving tactics in the face of cyber risks.

Source link

Related Posts

Top 5 Bug Bounty Platforms to Watch in 2021

February 8, 2021

While Gartner has yet to establish a dedicated Magic Quadrant for Bug Bounty or Crowd Security Testing, its Peer Insights platform currently lists 24 vendors in the “Application Crowdtesting Services” category. We’ve identified the top 5 most promising bug bounty platforms for those looking to enhance their software testing strategies with insights and expertise from global security researchers:

  1. HackerOne
    As a leading name in the bug bounty space, backed by notable venture capitalists, HackerOne is widely recognized worldwide. According to their latest annual report, over 1,700 companies rely on HackerOne to strengthen their in-house application security testing. The report highlights that their security researchers earned around $40 million in bounties in 2019 alone, contributing to a cumulative total of $82 million. HackerOne is also known for coordinating bug bounty programs for the US government, among others.

Microsoft Releases Patches for Active 0-Day Vulnerability and 55 Other Windows Flaws

On February 10, 2021, Microsoft addressed a total of 56 vulnerabilities, including a critical 0-day exploit that is currently being targeted in the wild. Among these, 11 vulnerabilities are classified as Critical, 43 as Important, and 2 as Moderate in severity, with six being previously disclosed. The updates enhance security across various platforms, including .NET Framework, Azure IoT, Microsoft Dynamics, Microsoft Edge for Android, Microsoft Exchange Server, Microsoft Office, Windows Codecs Library, Skype for Business, Visual Studio, Windows Defender, and key system components such as Kernel, TCP/IP, Print Spooler, and Remote Procedure Call (RPC).

The most critical vulnerability addressed is a Windows Win32k privilege escalation issue (CVE-2021-1732, CVSS score 7.8), which could allow attackers with access to a system to execute malicious code with elevated privileges. Microsoft acknowledges the contributions of JinQuan, MaDongZe, TuXiaoYi, and LiHao from DBAPPSecurity in identifying this vulnerability.

Malvertising Group Harnesses WebKit 0-Day to Redirect Users to Scam Sites

February 17, 2021

A malvertising collective known as “ScamClub” has exploited a zero-day vulnerability in WebKit-based browsers to inject malicious payloads that redirect users to fraudulent gift card scam websites. The attacks, first identified by the advertising security firm Confiant in late June 2020, took advantage of a bug (CVE-2021–1801) that allowed malicious actors to circumvent the iframe sandboxing policy in the browser engine used by Safari and Google Chrome on iOS, enabling them to execute harmful code. This technique specifically targeted the way WebKit manages JavaScript event listeners, allowing attackers to escape the sandbox of an ad’s inline frame even with the “allow-top-navigation-by-user-activation” attribute in place, which typically prevents redirection unless an event occurs within the iframe. To validate this approach, researchers created a simple HTML file featuring a cross-origin sandboxed iframe, along with an external button…

Cisco Issues Security Updates for Critical Vulnerabilities in Its Products

February 26, 2021

Cisco has released a critical security patch for a severe vulnerability in its Application Centric Infrastructure (ACI) Multi-Site Orchestrator (MSO). This flaw potentially enables unauthenticated remote attackers to bypass authentication on compromised devices. According to a recent advisory from the company, “An attacker could exploit this vulnerability by sending a crafted request to the affected API.” A successful exploit could allow the attacker to obtain a token with administrator-level privileges, enabling authentication to the affected MSO and Cisco Application Policy Infrastructure Controller (APIC) devices. Identified as CVE-2021-1388, this vulnerability scores a 10 (out of 10) on the CVSS vulnerability scale and arises from improper token validation in an API endpoint of the Cisco ACI MSO installed on the Application Services Engine. It impacts ACI MSO versions running on the 3.0 software release. The ACI Multi-Site Orchestrator enables customers to monitor and manage their network infrastructure effectively.