Feb 24 2022

Iranian Broadcaster IRIB hit by wiper malware

Category: RansomwareDISC @ 9:20 am

Iranian national media corporation, Islamic Republic of Iran Broadcasting (IRIB), was hit by a wiper malware in late January 2022.

An investigation into the attack that hit the Islamic Republic of Iran Broadcasting (IRIB) in late January, revealed the involvement of a disruptive wiper malware along with other custom-made backdoors, and scripts and configuration files used to install and configure the malicious executables.

Researchers from CheckPoint that investigated the attack reported that the attackers used a wiper malware to disrupt the state’s broadcasting networks, damaging both TV and radio networks.

According to the experts, the effects of the attack were more serious than officially reported.

Check Point was not able to find any evidence that demonstrates a previous use of these tools, or attribute them to a specific threat actor.

During the attack, threat actors transmitted pictures of Mujahedin-e-Khalq Organization (MKO) leaders Maryam and Massoud Rajavi along with the image of Ayatollah Khamenei crossed out with red lines and  the declaration “Salute to Rajavi, death to (Supreme Leader) Khamenei!.” 

“During a period of 10 seconds, the faces and voices of hypocrites appeared on (our) Channel One,” IRIB said.

“Our colleagues are investigating the incident. This is an extremely complex attack and only the owners of this technology could exploit and damage the backdoors and features that are installed on the systems,” Deputy IRIB chief Ali Dadi told state TV channel IRINN.

“Similar disruptions happened to the Koran Channel, Radio Javan and Radio Payam,” he added, referring to other state-affiliated broadcast channels.

The experts discovered two identical .NET samples named msdskint.exe that were used to wipe the files, drives, and MBR on the infected devices, making them unusable.

The malware has also the ability to clear Windows Event Logs, delete backups, kill processes, and change users’ passwords.

The report details the use of four backdoors in the attack:

  • WinScreeny, used to make screenshots of the victim’s computer;
  • HttpCallbackService, a Remote Administration Tool (RAT);
  • HttpService, another backdoor that listens on a specified port;
  • ServerLaunch, a C++ dropper.

Iranian officials attribute the attack to MEK, however, the opposition group itself denies any involvement.

The hacktivist group Predatory Sparrow, which claimed responsibility for the attacks against the national railway services, the transportation ministry, and the Iranian gas stations, claimed responsibility for the attack on IRIB via its Telegram channel.

“The use of wiper malware in the attack against a state entity in Iran begs us to compare the tools with those belonging to Indra, who, among other attacks, is responsible for unleashing a wiper in the Iranian Railways and Ministry of Roads systems. Although these wipers are coded and behave very differently, some implementation details such as execution based on batch files, or the password changing patterns ([random sequence]aA1! for this attack and Aa153![random sequence] in Indra’s case), suggests that the attackers behind the IRIB hack may have been inspired by previous attacks happened in Iran.” the researchers conclude.

Ransomware Protection Playbook

Tags: Iran, Ransomware Protection Playbook, wiper malware

Jan 06 2011

The Basics of Stuxnet Worm and How it infects PLCs

Category: MalwareDISC @ 1:01 pm
Future of Mobile Malware & Cloud Computing Key...
Image by biatch0r via Flickr

Considered to be the most intricately designed piece of malware ever, Stuxnet leverages attack vectors onto industrial control systems, a territory rarely ventured into by traditional malware. Stuxnet targets industries, power plants and other facilities that use automation and control equipment from the leading German industrial vendor, Siemens. The term, critical infrastructure refers to industrial systems that are essential for the functioning and safety of our societies. Considering the profound dependence of critical infrastructure on industrial control and automation equipment, it is essential to reassess the impact this new generation of malware on the stability and security of our society.

Download WhitePaper

Has Israel Begun A Cyber War On Iran With The Stuxnet ‘Missile’?: An article from: APS Diplomat News Service

The New Face of War: How War Will Be Fought in the 21st Century

Tags: Business, Control system, Critical infrastructure, Industrial control systems, Iran, Malware, Siemens, Symantec

Nov 22 2010

Stuxnet virus could target many industries

Category: MalwareDISC @ 1:25 pm
I constructed this image using :image:Computer...
Image via Wikipedia

By LOLITA C. BALDOR, Associated Press

A malicious computer attack that appears to target Iran’s nuclear plants can be modified to wreak havoc on industrial control systems around the world, and represents the most dire cyberthreat known to industry, government officials and experts said Wednesday.

They warned that industries are becoming increasingly vulnerable to the so-called Stuxnet worm as they merge networks and computer systems to increase efficiency. The growing danger, said lawmakers, makes it imperative that Congress move on legislation that would expand government controls and set requirements to make systems safer.

The complex code is not only able to infiltrate and take over systems that control manufacturing and other critical operations, but it has even more sophisticated abilities to silently steal sensitive intellectual property data, experts said.

Dean Turner, director of the Global Intelligence Network at Symantec Corp., told the Senate Homeland Security and Governmental Affairs Committee that the “real-world implications of Stuxnet are beyond any threat we have seen in the past.”

Analysts and government officials told the senators they remain unable to determine who launched the attack. But the design and performance of the code, and that the bulk of the attacks were in Iran, have fueled speculation that it targeted Iranian nuclear facilities.

Turner said there were 44,000 unique Stuxnet computer infections worldwide through last week, and 1,600 in the United States. Sixty percent of the infections were in Iran, including several employees’ laptops at the Bushehr nuclear plant.

Iran has said it believes Stuxnet is part of a Western plot to sabotage its nuclear program, but experts see few signs of major damage at Iranian facilities.

A senior government official warned Wednesday that attackers can use information made public about the Stuxnet worm to develop variations targeting other industries, affecting the production of everything from chemicals to baby formula.

“This code can automatically enter a system, steal the formula for the product you are manufacturing, alter the ingredients being mixed in your product and indicate to the operator and your antivirus software that everything is functioning as expected,” said Sean McGurk, acting director of Homeland Security’s national cybersecurity operations center.

Stuxnet specifically targets businesses that use Windows operating software and a control system designed by Siemens AG. That combination, said McGurk, is used in many critical sectors, from automobile assembly to mixing products such as chemicals.

Turner added that the code’s highly sophisticated structure and techniques also could mean that it is a one-in-a-decade occurrence. The virus is so complex and costly to develop “that a select few attackers would be capable of producing a similar threat,” he said.

Experts said governments and industries can do much more to protect critical systems.

Michael Assante, who heads the newly created, not-for-profit National Board of Information Security Examiners, told lawmakers that control systems need to be walled off from other networks to make it harder for hackers to access them. And he encouraged senators to beef up government authorities and consider placing performance requirements and other standards on the industry to curtail unsafe practices and make systems more secure.

“We can no longer ignore known system weaknesses and simply accept current system limitations,” he said. “We must admit that our current security strategies are too disjointed and are often, in unintended ways, working against our efforts to address” cybersecurity challenges.

The panel chairman, Sen. Joe Lieberman, I-Conn., said legislation on the matter will be a top priority after lawmakers return in January.

Tags: anti virus, Associated Press, Dean Turner, Industrial control systems, Iran, Joe Lieberman, Siemens, United States

Oct 01 2010

Stuxnet, world’s first “cyber superweapon,” attacks China

Category: CybercrimeDISC @ 2:01 pm
Computer worm
Image by toastiest via Flickr

Stuxnet, the most sophisticated malware ever designed, could make factory boilers explode, destroy gas pipelines, or even cause a nuclear plant to malfunction; experts suspect it was designed by Israeli intelligence programmers to disrupt the operations of Iran’s nuclear facilities — especially that country’s centrifuge farms and the nuclear reactor in Bushehr; it has now infected Chinese industrial control systems as well; one security expert says: “The Stuxnet worm is a wake-up call to governments around the world— It is the first known worm to target industrial control systems”

To read the remaining article …..

Tags: Bushehr, Business, Computer worm, Control system, Iran, Israel, Malware, Nuclear

Oct 19 2009

Hacks hit embassy, government e-mail accounts worldwide

Category: CybercrimeDISC @ 1:46 pm

Image via Wikipedia
Hacks hit embassy, government e-mail accounts worldwide
By Daniel Goldberg and Linus Larsson
Computer Sweden
August 30, 2007

Usernames and passwords for more than 100 e-mail accounts at embassies
and governments worldwide have been posted online. Using the
information, anyone can access the accounts that have been compromised.

Computer Sweden has verified the posted information and spoken to the
person who posted them. The posted information includes names of the
embassies and governments, addresses to e-mail servers, usernames and
passwords. Among the organizations on the list are the foreign ministry
of Iran, the Kazakh and Indian embassies in the U.S. and the Russian
embassy in Sweden.

Freelance security consultant Dan Egerstad posted the information. He
spoke openly about the leak when Computer Sweden contacted him.

“I did an experiment and came across the information by accident,” he

Egerstad says he never used the information to log in to any of the
compromised accounts in order not to break any laws.

Computer Sweden confirmed that the login details for at least one of the
accounts is correct. Egerstad forwarded an e-mail sent on Aug. 20 by an
employee at the Swedish royal court to the Russian embassy. The person
who sent the e-mail, in which she declines an invitation to the Russian
embassy, has confirmed that she sent the e-mail.

“Yes, that is right. We did decline the invitation. As far as I can
remember I did send the e-mail,” she said.

Computer Sweden has not been able to confirm the authenticity of any of
the other information that has been posted.

“When something like this happens you usually contact people and ask
them to fix it. But in this case it felt too big for that, calling to
other countries,” Egerstad said.

Of the compromised accounts, 10 belong to the Kazakh embassy in Russia.

Around 40 belong to Uzbeki embassies and consulates around the world.

Login details for e-mail accounts at the U.K. visa office in Nepal were
also posted. Login details for the foreign ministry of Iran, the Kazakh
and Indian embassies in the U.S. and the Russian embassy in Sweden were
also posted.

“I hope this makes them take action. Hopefully, faster than ever before,
and I hope they become a bit more aware of security issues,” Dan
Egerstad says.

Computer Sweden has contacted both the Russian and Indian embassies in
Stockholm for comment. The Russian embassy confirmed the leaks and says
that logins have now been changed. The Indian embassy declined to
confirm the information and give comment.

Computer Sweden has not published where the login details can be found.
The information in this story has been verified by Computer Sweden
without using any of the published login details.

Computer Sweden is an InfoWorld affiliate.

Reblog this post [with Zemanta]

Tags: government hack, government security breach, hack attack, Iran, Nepal, Rusia, Security Breach, Stockholm, Sweden