Richard Staynings’ Post

Hackers backed by Iran and Hezbollah staged cyber attacks designed to undercut public support for the Israel-Hamas war after October 2023. This includes destructive attacks against key Israeli organizations, hack-and-leak operations targeting entities in Israel and the U.S., phishing campaigns designed to steal intelligence, and information operations to turn public opinion against Israel. Iran accounted for nearly 80% of all government-backed phishing activity targeting Israel in the six months leading up to the October 7 attacks, Google said in a new report. "Hack-and-leak and information operations remain a key component in these and related threat actors' efforts to telegraph intent and capability throughout the war, both to their adversaries and to other audiences that they seek to influence," the tech giant said. But what's also notable about the Israel-Hamas conflict is that the cyber operations appear to be executed independently of the kinetic and battlefield actions, unlike observed in the case of the Russo-Ukrainian war. Such cyber capabilities can be quickly deployed at a lower cost to engage with regional rivals without direct military confrontation, the company added. One of the Iran-affiliated groups, dubbed GREATRIFT (aka UNC4453 or Plaid Rain), is said to have propagated malware via fake "missing persons" site targeting visitors seeking updates on abducted Israelis. The threat actor also utilized blood donation-themed lure documents as a distribution vector.

Hackers backed by Iran and Hezbollah staged cyber attacks designed to undercut public support for the Israel-Hamas war after October 2023. This includes destructive attacks against key Israeli organizations, hack-and-leak operations targeting entities in Israel and the U.S., phishing campaigns designed to steal intelligence, and information operations to turn public opinion against Israel. Iran accounted for nearly 80% of all government-backed phishing activity targeting Israel in the six months leading up to the October 7 attacks, Google said in a new report. "Hack-and-leak and information operations remain a key component in these and related threat actors' efforts to telegraph intent and capability throughout the war, both to their adversaries and to other audiences that they seek to influence," the tech giant said. But what's also notable about the Israel-Hamas conflict is that the cyber operations appear to be executed independently of the kinetic and battlefield actions, unlike observed in the case of the Russo-Ukrainian war. Such cyber capabilities can be quickly deployed at a lower cost to engage with regional rivals without direct military confrontation, the company added. One of the Iran-affiliated groups, dubbed GREATRIFT (aka UNC4453 or Plaid Rain), is said to have propagated malware via fake "missing persons" site targeting visitors seeking updates on abducted Israelis. The threat actor also utilized blood donation-themed lure documents as a distribution vector.

Iran and Hezbollah Hackers Launch Attacks to Influence Israel-Hamas Narrative: Hackers backed by Iran and Hezbollah staged cyber attacks designed to undercut public support for the Israel-Hamas war after October 2023. This includes destructive attacks against key Israeli organizations, hack-and-leak operations targeting entities in Israel and the U.S., phishing campaigns designed to steal intelligence, and information operations to turn public opinion against Israel. Iran

❗️🇺🇦IMPORTANT ANNOUNCEMENT🇺🇦❗️ Yesterday, our Cloudforce One team published the results of our investigation and real-time effort to detect, deny, degrade, disrupt, and delay threat activity by the Russia-aligned threat actor FlyingYeti, during their latest phishing campaign targeting Ukraine. Cloudforce One is a service which combines Cloudflare's visibility into real-time attack traffic with a world-class threat research team for unmatched operational threat intelligence. Here is a summary of the key points in the report below: - In mid-April, Cloudforce One detected the Russia-aligned threat actor FlyingYeti preparing to launch a phishing espionage campaign. - This group is known to heavily target Ukrainian defense entities with PowerShell malware known as COOKBOX. - We assessed FlyingYeti intended to launch their campaign in early May, likely following Orthodox Easter. - After several weeks of monitoring actor reconnaissance and weaponization activity, we successfully disrupted FlyingYeti’s operation moments after the final COOKBOX payload was built. - We offer steps users can take to defend themselves against FlyingYeti phishing operations, and also provide recommendations, detections, and indicators of compromise. #Cloudflare #Ukraine #ThreatIntelligence #Cybersecurity #BetterInternet

Clever social engineering by foreign nation state-backed hackers by leveraging a phishing lure email link disguised as a German language invite to a wine tasting event hosted by the Christian Democratic Union. The link contains a stage one “dropper” called ROOTSAW which delivers a second stage WINELOADER from an actor-controlled remote server. WINELOADER is then invoked via technique called DLL side-loading using the legit sqldumper.exe file, which then reaches that remote server to fetch additional execution modules to be run on the compromised target host. #cyberthreat #hacker #infosec #phishingattack #cybertraining #cybersecurityawareness #cybersecurity #maliciouslinks #security #cyberattack #dllsecurity

It is becoming increasingly difficult to protect your users from highly sophisticated phishing attacks. What is critical is to implement a solution which protects users from the ensuing attack process - the actual cause of harm. #protectbeforedetect #zerotrust #appguard

A recent article on Security Affairs discusses APT28, a threat group targeting European organizations. APT28, also known as Fancy Bear or Strontium, is a Russian government-backed group notorious for cyber espionage campaigns. The article highlights APT28's use of the Headlace malware, a custom backdoor deployed to compromise targeted systems. This malware allows attackers to gain persistence, steal data, and conduct other malicious activities. This is a timely reminder of the evolving tactics used by advanced threat actors. By staying informed about the latest threats and implementing robust security measures, organizations can better defend themselves against cyberattacks. #cybersecurity #APT28 #HeadlaceMalware #Europe https://lnkd.in/gKg9NTMU

In April and May 2024, Cloudforce One employed proactive defence measures to successfully prevent Russia-aligned threat actor FlyingYeti from launching their latest phishing campaign targeting Ukraine. 🇺🇦 ☁ Find out more about how Cloudflare did it! #BetterInternet #cybersecurity #phishing #ukraine #technology #cloudflare

A previously unknown threat actor has been attributed to a spate of attacks targeting Azerbaijan and Israel with an aim to steal sensitive data. The attack campaign, detected by NSFOCUS on July 1, 2024, leveraged spear-phishing emails to single out Azerbaijani and Israeli diplomats. The activity is being tracked under the moniker Actor240524. "Actor240524 possesses the ability to steal secrets and modify file data, using a variety of countermeasures to avoid overexposure of attack tactics and techniques," the cybersecurity company said in an analysis published last weekThe attack chains commence with the use of phishing emails bearing Microsoft Word documents that, upon opening, urge the recipients to "Enable Content" and run a malicious macro responsible for executing an intermediate loader payload codenamed ABCloader ("MicrosoftWordUpdater.log"). In the next step, ABCloader acts as a conduit to decrypt and load a DLL malware called ABCsync ("synchronize.dll"), which then establishes contact with a remote server ("185.23.253[.]143") to receive and run commands.

We've got a wild ride in Ukraine with 𝗗𝗶𝗿𝘁𝘆𝗠𝗼𝗲 wreaking havoc on over 2,000 computers (Article published in Thehackernews.com). This digital troublemaker, active since 2016, is pulling off the classic combo: 𝗰𝗿𝘆𝗽𝘁𝗼𝗷𝗮𝗰𝗸𝗶𝗻𝗴 and 𝗗𝗗𝗼𝗦 𝗮𝘁𝘁𝗮𝗰𝗸𝘀. 𝗗𝗶𝗿𝘁𝘆𝗠𝗼𝗲 is like an old pro, expanding in a worm-like fashion and exploiting identified security flaws. The 𝗗𝗗𝗼𝗦 party is delivered by Purple Fox, equipped with a rootkit, making detection difficult. The CERT team in Ukraine is on the case, advising defenses updates, segregation of networks, and keeping an eye out for suspicious cyber shenanigans. But wait, there's more to it! 𝗦𝗵𝘂𝗰𝗸𝘄𝗼𝗿𝗺 is acting tricks with a phishing campaign called 𝗦𝗧𝗘𝗔𝗗𝗬#𝗨𝗥𝗦𝗔, aiming at Ukrainian military folks. Their weapon of choice is 𝗦𝗨𝗕𝗧𝗟𝗘-𝗣𝗔𝗪𝗦, a 𝗣𝗼𝘄𝗲𝗿𝗦𝗵𝗲𝗹𝗹 backdoor. It's stealthy, utilizing Telegram for communication, and can hitch a ride on USB drives. 𝗦𝗵𝘂𝗰𝗸𝘄𝗼𝗿𝗺, an expert player linked to Russia's FSB since 2013, is upping their game. The cybersecurity heroes in Ukraine are fighting hard, but it's a wake-up call for us all. Consider it like strengthening your castle – update those defenses, keep things compartmentalized, and stay vigilant. Cyber threats are real, and we're in it together, cyber warriors! 💻🤖🛡️ Read more on https://lnkd.in/gXs-yAMx and https://lnkd.in/gKfF_YTs #CyberSecurity #ThreatIntel #DigitalBattles