According to Microsoft, an Iranian hacking group 'Mint Sandstorm' targets US critical infrastructure in retaliation for recent attacks on Iran's infrastructure. A Phosphorous hacker group's new name "Mint Sandstorm" is believed to be linked with the Islamic Revolutionary Guard Corps (IRGC) and working for the Iranian government. Microsoft's Threat Intelligence team explain that Mint Sandstorm's subgroup will be switched from surveillance in 2022, to direct attacks on US infrastructure. According to the Microsoft report, attacks on US critical infrastructure are the result of retaliation for attacks on Iran's infrastructure that the country attributes to the US and Israel. To be mentioned, attacks on Iran's railway system in June 2021 and Iranian gas stations outage due to a cyberattack on October 2021. As per researchers, the new subgroup of Mint Sandstorm uses a combination of N-day exploits, proof-of-concept exploits, and phishing attacks to gain access to high-value networks. The subgroup also utilizes older vulnerabilities like Log4Shell to breach unpatched devices. Once the hackers gained access to a network, hackers used custom PowerShell scripts and the Impacket framework to move laterally and conduct one of two attack chains. The first attack chain involved stealing the target's Windows Active Directory database to obtain users' credentials, while the second attack chain deployed custom backdoor malware called Drokbk and Soldier for persistence on the compromised network in order to deploy additional payloads. In addition, Mint Sandstorm conducted low-volume phishing attacks containing links of OneDrive accounts hosting PDFs spoofed to have information of Middle East security or policy. These spoofed PDFs also include links to a malicious Word template that uses template injection to execute a payload on the device and used the CharmPower PowerShell post-exploitation framework for persistence and executing further commands.
Group-IB researchers Rustam Mirkasymov and Martijn van den Berk have identified a new threat actor named Boolka, which has been targeting websites with malicious scripts to deploy ...
CoinStats, a cryptocurrency portfolio manager, resumed operations on Monday after experiencing a significant security breach where hackers drained over $2 million from 1,590 hosted...
Google announced a new Chrome security update on Monday, addressing four high-severity memory safety vulnerabilities reported by external researchers. These issues, tracked as CVE-...