Feds Indict and Treasury Sanctions Iranian Hackers for Critical Infrastructure Attacks
Hackers sent Goatse image on parent-teacher app, Dutch cops bust man for stealing tens of millions in Bitcoin, Super-thin ATM skimming devices appear in NYC, UK finance firm DDoS attacks soar, more
U.S. prosecutors accused three Iranian men allegedly linked to the country’s Islamic Revolutionary Guard Corps (IGRC) of attacking electric utilities, local governments, and others in the U.S. with ransomware. Separately, the Treasury Department imposed sanctions on the alleged hackers and others, saying the group had tried to breach U.S. and Middle Eastern defense, diplomatic, and government personnel and was responsible for an attempted breach of Boston Children’s Hospital last summer.
According to the indictment, the three men, Mansour Ahmadi, Ahmad Khatibi, and Amir Nickaein, breached the networks of a municipality in New Jersey, power companies in Mississippi and Indiana, a domestic violence shelter in Pennsylvania, and a state Bar Association, among others, since October 2020, The hackers were thwarted before they could damage the operations of critical infrastructure. Still, some victims did pay ransom to regain access to their systems.
Some hackers targeted victims in Iran, underscoring the uncontrollable nature of malicious cyber attacks.“Crimes like these will happen when nations and their governments do not adhere to widely accepted norms, like promulgating and enforcing broadly applicable laws against computer hacking and extortion,” a Justice Department official said.
The men allegedly perpetrated the breaches by creating look-alike websites to deceive victims and using bitcoin and other digital currencies to obtain ransom. In some cases, they used printers to direct employees to applications that conveyed the ransom demand.
The Cybersecurity and Infrastructure Security Agency (CISA) issued an updated advisory developed by several U.S. government agencies and foreign partners that highlighted continued malicious cyber activity by advanced persistent threat (APT) actors that the authoring agencies assess are affiliated with the IGRC. It provides observed tactics, techniques, and indicators of compromise (IOCs) that the authoring agencies assess are likely associated with this IRGC-affiliated APT. (Aruna Viswanatha and Dustin Volz / Wall Street Journal and CISA)
Related: Axios, CISA, Politico, CNN, Forbes, Treasury.gov, Motherboard, Wall Street Journal, UrduPoint, Decipher, The Block, Teiss, Decipher, The New Arab, Reuters, CBSNews.com, USATODAY, Raw Story, Al-Monitor: The Pulse of the Middle East, Fox News, TRT World, Voice of America, Teller Report, POLITICO, ISS Source, The Record, Cyberscoop, VOA News, UPI.com, Jerusalem Post, ABC News: U.S., Justice.gov, Homeland Security Today, The Record by Recorded Future, Shannon Vavra - The Daily Beast, Teller Report, Associated Press, News : NPR, NYT > Politics, Ellen Nakashima, Bloomberg, News.com.au, The Guardian, CBSNews.com, Haaretz, STL.News, State.gov, DataBreachToday.com, Meritalk, CryptoSlate, Washington Examiner, IRNA English, Bleeping Computer, USATODAY, Motherboard, Gizmodo, Raw Story, Al-Monitor, Security Week, Insider Paper, Ars Technica, Fox News, Becker's Hospital Review, Arutz Sheva News, Technology | The Hill, Bloomberg
Thomas Brewster @iblametomNEW - US goes in hard on Iranian ransomware hackers. Sanctions and indictments of three gov contractor execs. Looks to the US like Iranian contractors are doing cybercrime as a side hustle. One victim was a domestic violence shelter, paid $13k. https://t.co/4x1Yjr0Olz
Seesaw, a messaging app for parents and teachers, was hacked, and some parents said they had received messages with an explicit photo known as Goatse, which is infamous on the internet.
School districts in Illinois, New York, Oklahoma, and Texas said that the photo was sent to parents and teachers in private chats through the app. Seesaw said the hacker or hackers didn't gain administrative access to Seesaw but instead breached individual user accounts by a credential stuffing attack. (Kevin Collier / NBC News)
Dutch police arrested a 39-year-old man in the Netherlands for allegedly stealing Bitcoin worth tens of millions of dollars.
Authorities say he laundered Bitcoin with malicious software from the open-source Electrum wallet, using a fake version of the Electrum wallet to disguise his transactions. The stolen Bitcoin was converted to Monero (XMR) and vice versa. Investigations are still ongoing, with the Dutch Police Cybercrime Team of the Central Netherlands and the Cybercrime Team of the Eastern Netherlands working together. (Cynthia Chung / Cryptoslate)
The Cybersecurity and Infrastructure Security Agency (CISA) held its fourth Cybersecurity Advisory Committee meeting kicking off the latest round of recommendations from cyber experts for tasks the agency needs to take on, including a plan to create a ‘311’ emergency call line and clinics for assistance following cyber incidents for small and medium-sized businesses.
Committee member Bobby Chesney, who serves as the dean of the University of Texas School of Law, is working on a collaboration between the City of Austin and the University of Texas at Austin, where students would provide cybersecurity services through a 311-like platform. (Jonathan Greig / The Record)
Researchers at ESET say that state-backed Chinese hackers have developed a Linux variant for the SideWalk backdoor used against Windows systems belonging to targets in the academic sector.
They attribute the variant to the SparklingGoblin threat group, also tracked as Earth Baku, which is believed to be connected to the APT41 cyberespionage group. The SideWalk Linux backdoor has been used against multiple targets in the past. Their telemetry data shows that the variant they discovered was deployed against only one victim in February 2021, a university in Hong Kong. Although SparklingGoblin is mostly attacking targets in East and Southeast Asia, the group has also been hitting organizations outside these regions, focusing on the academic sector. (Ionut Ilascu / Bleeping Computer)
Metacurity is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.
Six current and former social media executives appeared at two hearings held by the Senate Homeland Security Committee, with some facing blistering attacks from lawmakers and former colleagues who alleged that their companies allow the spread of untrue, divisive, and extremist content because it is profitable.
Sen. Gary Peters (D-MI) told executives from Meta, YouTube, TikTok, and Twitter that by pushing “the most engaging posts to more users, they end up amplifying extremist, dangerous, and radicalizing content. This includes QAnon, Stop the Steal, and other conspiracy theories, as well as white supremacist and Anti-Semitic rhetoric.”
Former executives testified that the incentive of social media companies is to push content that attracts the most attention, even if it’s harmful. Current social media company executives told the senators they are doing what they can. (Suzanne Smalley / Cyberscoop)
According to researchers at Symantec, the Chinese Webworm hacking group is experimenting with customizing old malware in new attacks, likely to evade attribution and reduce operations costs.
Webworm is a cyberespionage cluster active since at least 2017 and has been previously linked to attacks on IT firms, aerospace, and electric power providers in Russia, Georgia, and Mongolia. The threat actors are testing various modified Remote Access Trojans (RATs) against IT service providers in Asia, likely to determine their effectiveness. (Bill Toulas / Bleeping Computer)
Several financial institutions in and around New York City are dealing with a rash of super-thin “deep insert” skimming devices designed to fit inside the mouth of an ATM’s card acceptance slot. The card skimmers are paired with tiny pinhole cameras cleverly disguised as part of the cash machine.
One skimmer is approximately .68 millimeters tall, leaving more than enough space to accommodate most payment cards. The skimmers do not attempt to siphon chip-card data or transactions but rather are after the cardholder data still stored in plain text on the magnetic stripe on the back of most payment cards issued to Americans. With that data, the crooks can clone payment cards and use them to siphon money from victim accounts at other ATMs. (Brian Krebs / Krebs on Security)
Analysis by attack simulation specialist Picus Security suggests DDoS attacks made up 25 percent of the cyber incidents submitted to the UK's Financial Conduct Authority in the first half of 2022, compared to just four percent in 2021.
The data obtained from the FCA under a freedom of information request show the rise also coincides with a reported increase in DDoS for hire websites and ransomware operators using DDoS to pressure and extort money from targets. Picus believes the primary reason for the significant increase in DDoS attacks is UK finance firms targeted by nation-state attackers and hacktivists during the ongoing Russia-Ukraine conflict. (Ian Barker / Beta News)
Security operations center (SOC) infrastructure developer Cyrebro raised $40 million in a Series C venture funding round.
Koch Disruptive Technologies (KDT) led the round alongside new investor Elaia. Existing investors Mangrove Capital Partners, Prytek, Bank Mizrahi, and InCapital Group also participated in the round. (Ingrid Lunden / TechCrunch)
Secure web gateway provider Dope Security has launched from stealth with $4 million in a seed funding round.
Boldstart Ventures led the funding. (Carly Page / TechCrunch)
Financial services security firm Drawbridge announced it received a strategic growth investment from Francisco Partner, although the investment amount was unspecified.
The four-year-old cybersecurity firm has worked with more than 750 clients, primarily in private equity, hedge funds, venture capital, family financial offices, and asset managers. (Karen Hoffman / SC Magazine)