DM R 0 Posted September 8, 2022 Share Posted September 8, 2022 Thoughts on the current attacks with Iran/Albanian Link to comment Share on other sites More sharing options...
DM R 0 Posted September 8, 2022 Author Share Posted September 8, 2022 Also does the IOCs provided by MS, ESET can detect them and block Link to comment Share on other sites More sharing options...
Administrators Marcos 5,071 Posted September 9, 2022 Administrators Share Posted September 9, 2022 Please provide a link to an article with more information on the attacks that you inquired about. Are you asking if ESET can detect the threats based on published IoC ? Link to comment Share on other sites More sharing options...
itman 1,659 Posted September 9, 2022 Share Posted September 9, 2022 (edited) 8 hours ago, Marcos said: Please provide a link to an article with more information on the attacks that you inquired about. Are you asking if ESET can detect the threats based on published IoC ? https://www.mandiant.com/resources/blog/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against Eset and all major AV's detect RoadSweep and ZeroClear malware components. No one detects the ChinneySweep backdoor component; most likely due to lack of sample. Most AV's detect the backdoor installer component, unpack.exe. Eset per VirusTotal lookup does not. I did not check for detection of multiple .dll components used in this attack. Edited September 9, 2022 by itman Link to comment Share on other sites More sharing options...
itman 1,659 Posted September 9, 2022 Share Posted September 9, 2022 (edited) Here's Microsoft's article on the subject: https://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/ which indicates the target/s were initially compromised in May, 2021: Quote A group that we assess is affiliated with the Iranian government, DEV-0861, likely gained access to the network of an Albanian government victim in May 2021 by exploiting the CVE-2019-0604 vulnerability on an unpatched SharePoint Server, administrata.al (Collab-Web2.*.*), and fortified access by July 2021 using a misconfigured service account that was a member of the local administrative group. Analysis of Exchange logs suggests that DEV-0861 later exfiltrated mail from the victim’s network between October 2021 and January 2022. As typical in APT attacks, they are multi-staged events that evolve over a period of time. Also, exploiting an existing system/network vulnerability is usually the first attack vector employed. Edited September 10, 2022 by itman Link to comment Share on other sites More sharing options...
DM R 0 Posted September 12, 2022 Author Share Posted September 12, 2022 Thanks @itman@Marcos The link is below, Yeah, wondering if ESET has familiarize its security fabric with the published IOC's by MS. https://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/ Link to comment Share on other sites More sharing options...
Recommended Posts