THE IRANIAN CYBER EVOLUTION: RATS, BACKDOORS, AND DROPPERS

Wapack Labs has been monitoring Iranian cyber activity for several years, specifically the evolving OilRig and Greenbug campaigns. Their adoption of a cyber operational paradigm involving both cyber hacktivism and cyber espionage tactics resembles cyber activity patterns employed by Chinese APT groups, whereby different groups perform different campaigns, with multiple teams conducting separate phases of a cyber campaign. With President Trump’s refusal to re-certify Iran’s compliance with the 2015 Iran nuclear agreement, Wapack analysts are researching the continued efforts of Iranian-backed cyber threats in order to detect and defend against next moves. 

One common attribute is that they all engage in prolonged reconnaissance campaigns of their targets; at times lasting over a year. Greenbug, a cyber-espionage group with suspected Iranian ties, has been dynamically progressing in such campaigns. In August 2017, a Greenbug tool, dubbed ISMAgent (an ISMDoor variant), resurfaced in the wild to harvest account credentials. Wapack Labs discovered evidence of ISMDoor variants relying on the VB:Trojan.Valyria (possibly Clayside) for delivery, linking Greenbug to another group of Iranian actors known as OilRig. Wapack Labs assesses with moderate confidence that recent activity involving ISMDoor is an indicator of the ramping up of another cyber campaign cycle.

Wapack Labs has cataloged and reported on Iranian cyber activity in the past. An archive of related reporting can be found in the Red Sky Alliance portal.


WWW.WAPACKLABS.COM

Read More
Pamela Bierau
MELTDOWN AND SPECTRE EXPLOITATION REPORTING

TLP AMBER ANNOUNCEMENT: 

On 2 January 2018, British newspaper The Register published an article describing a design flaw present in all of Intel’s modern processors. The bug is a possible vulnerability in the kernel page table isolation feature. The concept concerns with how microarchitecture design makes speculative references in memory and how they may be exploited by an attacker to read kernel address space layout randomization. This report provides situational awareness for our members. Stay cognizant for updates as major technology companies such as Apple, Amazon, Google, Microsoft, and VMware respond. Intel has already responded stating that the allegations of these exploits are false and that any exploit is not unique to its chip design.

Wapack Labs has cataloged and reported on vulnerability exploitation in the past. An archive of related reporting can be found in the Red Sky Alliance portal.  

 WWW.WAPACKLABS.COM

This TLP AMBER report is available only to Red Sky Alliance members.

Read More
Pamela Bierau