Security researchers at Check Point have unravelled a six-year, ongoing surveillance operation apparently run by Iran-based threat actors against regime dissidents. Going back as far as 2014, the attackers used multiple attack vectors to spy on their victims, including hijacking victims’ Telegram accounts, extracting two-factor authentication codes from SMS messages, recording a phone's audio surroundings, accessing KeePass password manager account information, and distributing malicious Telegram phishing pages using fake accounts. Malware-laced documents The victims appear to have been hand-picked from anti-regime organisations and resistance movements such as Mujahedin-e Khalq, the Azerbaijan National Resistance Organisation, which advocate the liberation of Iranian people and minorities within Iran, and Balochistan citizens. The attackers used malware-laced documents to lure victims into infecting their devices. The core functionality of the malware is to steal as much information as it can from the target device. The payload targets two main applications: Telegram Desktop and KeePass, the famous password storage manager. The main features of the malware include: Information Stealer Uploads relevant Telegram files from victim's computer. These files allow the attackers to make full usage of the victim's Telegram account Steals information from KeePass application Uploads any file it could find which ends with pre-defined extensions Logs clipboard data and takes desktop screenshots Unique Persistence Implements a persistence mechanism based on Telegram’s internal update procedure Two-factor authentication During their investigation, Check Point researchers also uncovered a malicious Android application tied to the same threat actors. The application masquerades as a service to help Persian speakers in Sweden get their driver's license. This Android backdoor contains the following features: Steals existing SMS messages Forwards two-factor authentication SMS messages to a phone number provided by the attacker-controlled C&C server Retrieves personal information like contacts and accounts details Initiates a voice recording of the phone's surroundings Performs Google account phishing Retrieves device information such as installed applications and running processes Setting up an account Some of the websites related to the malicious activity also hosted phishing pages impersonating Telegram. Surprisingly, several Iranian Telegram channels issued warnings against the phishing websites, claiming that the Iranian regime is behind them. According to the channels, the phishing messages were sent by a Telegram bot. Some of the websites related to the malicious activity also hosted phishing pages impersonating Telegram The messages warned their recipient that they were making an improper use of Telegram's services, and that their account will be blocked if they do not enter the phishing link. Another Telegram channel provided screenshots of the phishing attempt showing that the attackers set up an account impersonating the official Telegram one. At first, the attackers sent a message about the features in a new Telegram update to appear legitimate. The phishing message was sent only five days later, and pointed to a malicious domain. Cyber-security expert A removed blog entry from 2018 accused a cyber-security expert of plagiarism, when he was interviewed by AlArabiya news to discuss Iranian cyber-attacks. Researchers believe this page was created as part of a targeted attack against this person or his associates. The blog included a link to download a password-protected archive containing evidence of the plagiarism from `endupload[.]com`. It appears that `endupload[.]com` has been controlled by the attackers for years, as some of the malicious samples related to this attack dating to 2014 communicated with this website. Monitoring different geographies Lotem Finkelsteen, Manager of Threat Intelligence at Check Point said: “After conducting our research, several things stood out. First, there is a striking focus on instant messaging surveillance. Although Telegram is un-decryptable, it is clearly hijackable. Instant messaging surveillance, especially on Telegram, is something everyone should be cautious and aware of.” “Second, the mobile, PC and web phishing attacks were all connected to the same operation. These operations are managed according to intelligence and national interests, as opposed to technological challenges. We will continue to monitor different geographies across the world to better inform the public around cyber security.”
Researchers at Check Point have identified a growing trend for a new ransom-ware tactic. In what researchers call “double extortion,” the new tactic involves threat actors adding an additional stage to a ransom-ware attack: prior to encrypting a victim’s database, hackers will extract large quantities of sensitive information, threatening the publication of it unless ransom demands are paid, placing more pressure on victims to meet the demands of threat actors. To prove the validity of the threat, threat actors leak a small portion of sensitive information to the dark web, dangling intimidation that more is to follow if ransom goes unpaid. The “Double Extortion” Process Threat actor gains entry into a victim’s network Threat actor extracts sensitive data, such as customer details, financial and employee details, patient records, and more Threat actor encrypts the files and demands ransom from victim Threat actor threatens leak of gathered sensitive data To prove validity of threat, threat actor leaks small portion of extracted information to dark web The first published case of double extortion took place in November 2019 and involved Allied Universal, a large American security staffing company. When the victims refused to pay a ransom of 300 Bitcoins (approximately US$2.3 million), attackers, who used ‘Maze’ ransom-ware, threatened to use sensitive information extracted from Allied Universal’s systems, as well as stolen email and domain name certificates, for a spam campaign impersonating Allied Universal. Countering ransom-ware, malware threats It is estimated that many other companies avoided publication of their sensitive data by paying the ransom demanded To prove their point, the attackers published a sample of the stolen files including contracts, medical records, encryption certificates and more. In a later post on a Russian hacking forum, the attackers included a link to what they claimed to be 10% of the stolen information as well as a new ransom demand that was 50% higher. Maze has since published the details of dozens of companies, law firms, medical service providers and insurance companies who have not given in to their demands. It is estimated that many other companies avoided publication of their sensitive data by paying the ransom demanded. Other cybercriminal groups have followed the new double extortion tactic, opening their own sites to publish and leak stolen information as a means to apply additional pressure on their victims to pay ransom. Attackers utilising Sodinokibi ransom-ware (aka REvil) published details of their attacks on 13 targets, as well as proprietary company information stolen from the targeted organisations. The National Eating Disorders Association was the last in the list of victim organisations. Data security Additional attacks that have joined the trend include Clop ransom-ware, Nemty, DopplelPaymer and more. Information published on these sites was soon found to be offered for sale by the ransom-ware group itself or by other criminals who collected the data from the dumpsites. “Double Extortion is a clear and growing ransom-ware attack trend. We saw a lot of this during Q1 2020. With this tactic, threat actors corner their victims even further by dripping sensitive information into the darkest places in the web to add weight to their ransom demands,” said Check Point’s Manager of Threat Intelligence, Lotem Finkelsteen. Importance of cyber security He adds, “We’re especially worried about hospitals having to face this threat. With their focus on coronavirus patients, addressing a double extortion ransom-ware attack would be very difficult. We’re issuing a caution to hospitals and large organisation, urging them to back up their data and educate their staff about the risks of malware-spiked emails.” Ransom-ware attacks have affected more than 1,000 health care organisations in the US alone since 2016 Ransom-ware attacks have affected more than 1,000 health care organisations in the United States alone since 2016, with costs totaling more than US$ 157 million, according to a recent analysis. In 2017, dozens of British hospitals and surgeries were affected by ransom-ware known as WannaCry, which resulted in thousands of canceled appointments and the closing of some accident and emergency departments. In 2019, several U.S. hospitals had to turn away patients after another spate of ransom-ware attacks. Enhancing healthcare and enterprise security In the ongoing fight against constantly-evolving ransom-ware tactics, the best defence is to prevent becoming a victim in the first place. Check Point has previously detailed its best practices to help you avoid being a ransom-ware victim, but to recap: Back Up Your Data and Files - It’s vital that you consistently back up your important files, preferably using air-gapped storage. Enable automatic backups, if possible, for your employees, so you don’t have to rely on them to remember to execute regular backups on their own. Educate Employees to Recognise Potential Threats - The most common infection methods used in ransom-ware campaigns are still spam and phishing emails. Often, user awareness can prevent an attack before it occurs. Take the time to educate your users, and ensure that if they see something unusual, they report it to security teams immediately. Limit Access to Those That Need It - To minimise the potential impact of a successful ransom-ware attack against your organisation, ensure that users only have access to the information and resources required to execute their jobs. Taking this step significantly reduces the possibility of a ransom-ware attack moving laterally throughout your network. Addressing a ransom-ware attack on one user system may be a hassle, but the implications of a network-wide attack are dramatically greater. Keep Signature-Based Protections Up-To-Date - While signature-based protections alone are not sufficient to detect and prevent sophisticated ransom-ware attacks designed to evade traditional protections, they are an important component of a comprehensive security posture. Up-to-date antivirus protections can safeguard your organisation against known malware that has been seen before and has an existing and recognised signature. Implement Multi-Layered Security, Including Advanced Threat Prevention Technologies - In addition to traditional, signature-based protections like antivirus and IPS, organisations need to incorporate additional layers to prevent against new, unknown malware that has no known signature. Two key components to consider are threat extraction (file sanitisation) and threat emulation (advanced sandboxing). Each element provides distinct protection, that when used together, offer a comprehensive solution for protection against unknown malware at the network level and directly on endpoint devices.