The Iranian state-sponsored threat groups stem from a long-term cyber invasion targeting key national infrastructure (CNI) in the Middle East that lasted nearly two years.
Activities that lasted at least from May 2023 to February 2025 included “a widespread espionage and network prepositions that are often suspected, accompanied by tactics often used to maintain sustained access for future strategic advantages.”
Network Security Company noted that the attacks display tradecraft overlaps with known Iranian nation-state threat actors called Lemon Sandstorm (formerly Rubidium), which is also tracked as Parisite, Pioneer Kitten, and UNC757.
Since at least 2017, the aerospace, oil and gas, water and electricity sectors, as well as the electricity sectors of the Middle East, Europe and Australia have been rated active. According to industrial cybersecurity company Dragos, the enemy exploited the known virtual private network (VPN) security flaws in Fortinet, Pulse Secure and Palo Alto Networks to gain initial access.
Last year, US Cybersecurity and Intelligence Agency pointed its fingers at Lemon Sandstorm to deploy ransomware against entities in the US, Israel, Azerbaijan and the United Arab Emirates.
The attacks analyzed by Fortinet on CNI entities have been unfolding in four stages starting in May 2023, employing weapons of tools that evolve when victims enact measures.
May 15, 2023 – April 29, 2024 – Access victim’s SSL VPN system using stolen login credentials, drop web shells on public servers, deploy three backdoors, chaos, honeyfnet, and HXLibrary for long-term access, April 30, 2024 – 224- 224- 22 By by by by fums by fums by fums by fums by fut by food for food for fore A new backdoor called NeoExpressrat. We will use tools like Plink and Ngrok to dig deep into the network, perform targeted removal of victim emails, and implement lateral movements on November 23, 2024 and December 13, 2024 to virtualization infrastructure. Victims, December 14, 2024 – Current – By leveraging known biotime vulnerabilities (CVE-2023-38951, CVE-2023-38951, and CVE-2023-38952), attempts to reinvest into the network and spear phishing attacks targeting victims who have been victimized after adopting Microsoft 365 signals.
It is worth noting that both Havoc and Meshcentral are open source tools that act as command and control (C2) frameworks, respectively, and as remote monitoring and management (RMM) software. On the other hand, SystemBC refers to commodity malware that often serves as a precursor to ransomware deployment.
Here’s a brief description of the custom malware family used in the attack –
hanifnet – Unsigned .NET executable hxlibrary that can retrieve and execute commands from a C2 server (first deployed in August 2023) – designed to fetch a malicious IIS module C2 server that is designed to fetch three identical text files hosted in Google Docs and send the web to sell basection to the Web basector. Windows Local Security Authority Sub -System Service (LSASS) Process Memory (first deployed in November 2023) Remote Injector – Loader Component used to run next-stage payloads like HAVOC (first deployed in April 2024) – Web Shell used for initial reconnasance (first deployed in April 2024) Discord for Follow -on Communications (first deployed in August 2024) Dropshell – Web Shell with basic file upload functionality (first deployed in November 2024) DarkLoadLibrary – Open Source Loader used to launch SystemBC (first deployed in December 2024)
The link to Lemon Sand Storm comes from C2 Infrastructure – apps.gist.githubapp[.]Internet and Gupdate[.]Net – Previously, it was flagged as associated with threat actor operations carried out during the same period.
Fortinet said the victim’s limited operational technology (OT) network is a key target for attacks based on the widespread reconnaissance of threat actors and violations of network segments hosting OT adjacent systems. However, there is no evidence that the enemy has invaded the OT network.
The majority of malicious activities are rated as practical keyboard operations performed by different individuals, taking into account command errors and consistent work schedules. Furthermore, a deeper investigation into the incident revealed that threat actors may have accessed the network on May 15, 2021.
“Through the intrusion, the attackers leveraged chained proxies and custom implants to bypass network segmentation and move laterally within the environment,” the company said. “At a later stage we consistently checked four different proxy tools for accessing internal network segments, demonstrating a sophisticated approach to maintain persistence and avoiding detection.”
Source link
