Iran-based cyber criminals likely behind the "unprecedented" global hacking campaign - FireEye

As per FireEye, the US cybersecurity firm, Iran-based cyber criminals were likely behind the sophisticated "unprecedented" global hacking campaign that is targeting companies across North Africa and Middle East, North America and Europe. A wave of DNS hijacking affecting several domains related to telecommunications, government as well as internet was identified by the FireEye researchers.

"While we do not currently link this activity to any tracked group, initial research suggests the actor or actors responsible have a nexus to Iran," as said by FireEye in one blog submitted on January 10, 2019. In that blog post, researchers wrote that "preliminary technical evidence allows us to assess with moderate confidence that this activity is conducted by persons based in Iran and that the activity aligns with Iranian government interests".

The hacking movement targeted victims all over the world on almost record scale, having a high success amount. The activity was tracked by FireEye teams for quite a few months -- mapping as well as understanding innovative TTPs (Tactics, Techniques and Procedures) deployed by attacker. Also they worked in close knit with the victims, security organisations and law enforcement agencies wherever possible, so as to reduce impact of these attacks and/or put off more compromises.

The researchers explained that "while this campaign employs some traditional tactics, it is differentiated from other Iranian activity we have seen by leveraging DNS hijacking at scale. The attacker uses this technique for their initial foothold, which can then be exploited in a variety of ways".

This pattern of Domain Name System record manipulation and fake Secure Sockets Layer (SSL) certificates have affected many organisations. FireEye said the organisations affected include internet infrastructure providers, telecoms and the ISP providers, government as well as sensitive commercial companies.

This kind of attack is hard to shield against, as valuable information could be taken off, even when the hacker is not able to directly access the organisation's network. The researchers suggested that multi-factor authentication should be implemented on the domain's administration portal. They further suggested that "search for the SSL certificates related to your domain and revoke any malicious certificates, and conduct an internal investigation to assess if attackers gained access to your environment".

» SPAMfighter News - 1/29/2019