Jump to content

Recommended Posts

Posted

Thoughts on the current attacks with Iran/Albanian

Posted

Also does the IOCs provided by MS, ESET can detect them and block
 

  • Administrators
Posted

Please provide a link to an article with more information on the attacks that you inquired about. Are you asking if ESET can detect the threats based on published IoC ?

Posted (edited)
8 hours ago, Marcos said:

Please provide a link to an article with more information on the attacks that you inquired about. Are you asking if ESET can detect the threats based on published IoC ?

https://www.mandiant.com/resources/blog/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against

Eset and all major AV's detect RoadSweep and ZeroClear malware components.

No one detects the ChinneySweep backdoor component; most likely due to lack of sample. Most AV's detect the backdoor installer component, unpack.exe. Eset per VirusTotal lookup does not.

I did not check for detection of multiple .dll components used in this attack.

Edited by itman
Posted (edited)

Here's Microsoft's article on the subject: https://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/ which indicates the target/s were initially compromised in May, 2021:

Quote

A group that we assess is affiliated with the Iranian government, DEV-0861, likely gained access to the network of an Albanian government victim in May 2021 by exploiting the CVE-2019-0604 vulnerability on an unpatched SharePoint Server, administrata.al (Collab-Web2.*.*), and fortified access by July 2021 using a misconfigured service account that was a member of the local administrative group. Analysis of Exchange logs suggests that DEV-0861 later exfiltrated mail from the victim’s network between October 2021 and January 2022.

As typical in APT attacks, they are multi-staged events that evolve over a period of time. Also, exploiting an existing system/network vulnerability is usually the first attack vector employed.

Edited by itman
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...