CYFIRMA: Cybersecurity Dossier - Sept. 30, 2024

Threat Actor in Focus - UNC1860 and the Temple of Oats: Unveiling Iran’s Covert Influence in Middle Eastern Cyber Operations

UNC1860 is a persistent Iranian state-sponsored cyber threat actor linked to Iran's Ministry of Intelligence and Security (MOIS), characterized by its sophisticated tooling and passive backdoors that enable initial access and persistent infiltration of high-priority networks, particularly in the Middle East's government and telecommunications sectors. Their operational parallels with other Iranian groups, such as Shrouded Snooper and APT34, suggest a collaborative approach to cyber operations, including providing initial access for destructive attacks. Notably, UNC1860 employs advanced techniques, such as a repurposed Windows kernel driver from legitimate software, to evade detection and maintain long-term access. Their arsenal includes GUI-operated malware controllers like TEMPLEPLAY and VIROGREEN, which facilitate remote access and control for third-party actors. READ MORE?

THE CHANGING CYBER THREAT LANDSCAPE ASIA-PACIFIC (APAC) REGION – Volume

The Asia Pacific (APAC) Threat Landscape Report provides a comprehensive overview of the evolving cybersecurity landscape in the region. In recent years, Asia Pacific has witnessed a significant increase in cyber threats, driven by factors such as rapid digitalization, increased internet penetration, and geopolitical tensions. This report aims to provide key insights into the current state of cyber threats, and emerging trends.?The Asia Pacific (APAC) Threat Landscape Report provides a comprehensive overview of the evolving cybersecurity landscape in the region. In recent years, Asia Pacific has witnessed a significant increase in cyber threats, driven by factors such as rapid digitalization, increased internet penetration, and geopolitical tensions. This report aims to provide key insights into the current state of cyber threats, and emerging trends. READ MORE

IRAN STEPS UP EFFORTS IN U.S. ELECTION MEDDLING

Three U.S. agencies, the Office of the Director of National Intelligence (ODNI), the Federal Bureau of Investigation (FBI), and the Cybersecurity and Infrastructure Security Agency (CISA) warned in a recent joint statement that Iranian state actors have stepped up their efforts to interfere in this year’s election by perpetrating disinformation and launching cyberattacks. “We have observed increasingly aggressive Iranian activity during this election cycle, specifically involving operations targeting the American public, and cyber operations targeting Presidential campaigns. This includes the recently reported activities to compromise former President Trump’s campaign, which the IC (Intelligence Community) attributes to Iran. The IC is confident that the Iranians have through social engineering and other efforts sought access to individuals with direct access to the Presidential campaigns of both political parties. Such activity, including thefts and disclosures, are intended to influence the U.S. election process.” READ MORE

CVE 2024-38856 – Pre-authentication Remote Code Execution (RCE) – Vulnerability Analysis and Exploitation

CVE-2024-38856 exposes a critical incorrect authorization vulnerability in Apache OFBiz servers, affecting versions up to 18.12.14, allowing unauthenticated users to bypass security restrictions and execute screen rendering code via specially crafted requests through unauthenticated endpoints. This vulnerability poses a significant risk due to the widespread use of OFBiz in self-hosted environments and various industries. Users are urged to upgrade to version 18.12.15, which addresses the issue, and implement enhanced security measures to prevent exploitation. The CYFIRMA research team has evaluated CVE-2024-38856, a vulnerability causing significant concerns in the cybersecurity community due to its critical impact on organizations globally. This flaw affects multiple versions of Apache OFBiz servers, enabling the threat actor to bypass security restrictions by allowing remote code execution (RCE). READ MORE

Ransomware of the Week

CYFIRMA Research and Advisory Team has found Foxtrot Ransomware while monitoring various underground forums as part of our Threat Discovery Process. Researchers have discovered a new ransomware variant named Foxtrot. This ransomware encrypts files, appends the ".foxtrot70" extension to the filenames, and generates a ransom note titled "How_to_back_files.html." Further analysis revealed that Foxtrot is part of the MedusaLocker ransomware family. By the ransom note it is clear that this ransomware variant targets companies rather than individuals. The ransom note states that all important files have been encrypted using a combination of RSA and AES encryption methods. It claims that the files are safe but emphasizes that they can only be restored by the attackers. The note warns against using third-party software to recover the files, stating that such attempts will permanently corrupt them. READ MORE

Trending Malware of the Week

This week “SambaSpy” is trending. Researchers identified SambaSpy as a sophisticated Remote Access Trojan (RAT) that has gained attention for its targeted approach, primarily focusing on victims in Italy while also extending its reach to Spain and Brazil. This malware employs advanced techniques, blending malicious activities with legitimate-looking communications to evade detection effectively. SambaSpy exhibits a wide range of functionalities, including keystroke logging, credential theft from major browsers, and remote-control capabilities. As cybercriminals continue to refine their tactics, SambaSpy exemplifies the growing trend of region-specific cyber threats, raising significant concerns for organizations regarding the necessity for tailored cybersecurity strategies in response to this evolving landscape. READ MORE

CYFIRMA is a?threat?discovery?and cyber-intelligence company with the world’s first platform that can deliver predictive cyber-intelligence. We combine cyber-intelligence with attack surface discovery and digital risk protection to deliver early warning, personalized, contextual, outside-in, and multi-layered insights. We have built the next generation of AI-powered threat intelligence platform called External Threat Landscape Management (ETLM) to provide cyber defenders with the hacker’s view to help clients prepare for impending attacks.

SCHEDULE A DEMO HERE

Visit www.cyfirma.com

Message sent by CYFIRMA at 16 Raffles Quay #09-01 S(048581), Singapore, Singapore.