DM R 0 Posted September 8, 2022 Posted September 8, 2022 Thoughts on the current attacks with Iran/Albanian
DM R 0 Posted September 8, 2022 Author Posted September 8, 2022 Also does the IOCs provided by MS, ESET can detect them and block
Administrators Marcos 5,462 Posted September 9, 2022 Administrators Posted September 9, 2022 Please provide a link to an article with more information on the attacks that you inquired about. Are you asking if ESET can detect the threats based on published IoC ?
itman 1,806 Posted September 9, 2022 Posted September 9, 2022 (edited) 8 hours ago, Marcos said: Please provide a link to an article with more information on the attacks that you inquired about. Are you asking if ESET can detect the threats based on published IoC ? https://www.mandiant.com/resources/blog/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against Eset and all major AV's detect RoadSweep and ZeroClear malware components. No one detects the ChinneySweep backdoor component; most likely due to lack of sample. Most AV's detect the backdoor installer component, unpack.exe. Eset per VirusTotal lookup does not. I did not check for detection of multiple .dll components used in this attack. Edited September 9, 2022 by itman
itman 1,806 Posted September 9, 2022 Posted September 9, 2022 (edited) Here's Microsoft's article on the subject: https://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/ which indicates the target/s were initially compromised in May, 2021: Quote A group that we assess is affiliated with the Iranian government, DEV-0861, likely gained access to the network of an Albanian government victim in May 2021 by exploiting the CVE-2019-0604 vulnerability on an unpatched SharePoint Server, administrata.al (Collab-Web2.*.*), and fortified access by July 2021 using a misconfigured service account that was a member of the local administrative group. Analysis of Exchange logs suggests that DEV-0861 later exfiltrated mail from the victim’s network between October 2021 and January 2022. As typical in APT attacks, they are multi-staged events that evolve over a period of time. Also, exploiting an existing system/network vulnerability is usually the first attack vector employed. Edited September 10, 2022 by itman
DM R 0 Posted September 12, 2022 Author Posted September 12, 2022 Thanks @itman@Marcos The link is below, Yeah, wondering if ESET has familiarize its security fabric with the published IOC's by MS. https://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/
Recommended Posts