Jump to content

Iran / Albanian Cyberattacks


Recommended Posts

  • Administrators

Please provide a link to an article with more information on the attacks that you inquired about. Are you asking if ESET can detect the threats based on published IoC ?

Link to comment
Share on other sites

8 hours ago, Marcos said:

Please provide a link to an article with more information on the attacks that you inquired about. Are you asking if ESET can detect the threats based on published IoC ?

https://www.mandiant.com/resources/blog/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against

Eset and all major AV's detect RoadSweep and ZeroClear malware components.

No one detects the ChinneySweep backdoor component; most likely due to lack of sample. Most AV's detect the backdoor installer component, unpack.exe. Eset per VirusTotal lookup does not.

I did not check for detection of multiple .dll components used in this attack.

Edited by itman
Link to comment
Share on other sites

Here's Microsoft's article on the subject: https://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/ which indicates the target/s were initially compromised in May, 2021:

Quote

A group that we assess is affiliated with the Iranian government, DEV-0861, likely gained access to the network of an Albanian government victim in May 2021 by exploiting the CVE-2019-0604 vulnerability on an unpatched SharePoint Server, administrata.al (Collab-Web2.*.*), and fortified access by July 2021 using a misconfigured service account that was a member of the local administrative group. Analysis of Exchange logs suggests that DEV-0861 later exfiltrated mail from the victim’s network between October 2021 and January 2022.

As typical in APT attacks, they are multi-staged events that evolve over a period of time. Also, exploiting an existing system/network vulnerability is usually the first attack vector employed.

Edited by itman
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...