Safety Detectives
$ United States dollar
$ United States dollar Euro£ British poundAED UAE dirhamARS Argentine pesoAU$ Australian dollarBGN Bulgarian levR$ Brazilian realCA$ Canadian dollarCHF Swiss francCLP Chilean pesoCN¥ Chinese yuanCOP Colombian pesoCZK Czech korunaDKK Danish kroneEGP Egyptian poundHK$ Hong Kong dollarHUF Hungarian forintIDR Indonesian rupiah Israeli new shekelINR Indian rupee¥ Japanese yen South Korean wonMX$ Mexican pesoMYR Malaysian ringgitNOK Norwegian kroneNZ$ New Zealand dollarPLN Polish złotyRON Romanian leuRUB Russian rubleSAR Saudi riyalSEK Swedish kronaSGD Singapore dollar฿ Thai bahtTRY Turkish liraNT$ New Taiwan dollarUAH Ukrainian hryvnia Vietnamese DongZAR South African rand

Iranian Hacker Group Wage Cyber Espionage Campaign In The Middle-East

Tyler Cross
Tyler Cross
Tyler Cross Tyler Cross

The Israeli cybersecurity firm, Check Point, recently discovered a cyber espionage campaign being waged by threat actors with ties to Iran’s Ministry of Intelligence and Security (MOIS).

These attacks come as the war in Israel wages on — militant hacktivist activity ramped in and hackers are launching more brazen attacks than ever. The threat actor, being dubbed “Scarred Manticore” carried out malware attacks on various countries in the Middle East, including Saudi Arabia, Israel, The United Arab Emirates, and Iran.

The attackers take control of public-facing Windows servers, infiltrating the systems by various means. Once inside, they employ malware that allows them to steal data from the host.

“Instead of using the HTTP API, the malware uses IOCTLs to interact directly with the underlying HTTP.sys driver,” explains researchers.

Each server implant deployment is tailor-made for the job, which stands out, even among advanced hackers. Attacks were methodical and preyed on individual vulnerabilities within each server.

“This approach is stealthier as it doesn’t involve IIS or HTTP API, which are usually closely monitored by security solutions, but is not a straightforward task given that the IOCTLs for HTTP.sys are undocumented and require additional research efforts by the threat actors.”

The attacks and methods resemble the Iranian nation-state crew, OilRig, who launched an eight-month-long campaign on a country in the Middle East between February and September 2023.

There’s also overlap with Shrouded Snooper, a group that attacks telecom companies in the Middle East using a tool called HTTPSnoop. Parts of their malware framework, LIONTAIL used HTTPSnoop (as well as FOXSHELL, SDD backdoor, and WINTAPIX drivers) to carry out the attack.

The hacks threaten to worsen an already precarious situation. Hackers backed by state organizations are attempting to change global perceptions of the conflicts can undermine government action and rile people up.

Nations around the world are racing to improve their cybersecurity defenses, as massive attacks like this continue to ramp up internationally.

About the Author
Tyler Cross
Tyler Cross
Writer

About the Author

Tyler is a writer at SafetyDetectives with a passion for researching all things tech and cybersecurity. Prior to joining the SafetyDetectives team, he worked with cybersecurity products hands-on for more than five years, including password managers, antiviruses, and VPNs and learned everything about their use cases and function. When he isn't working as a "SafetyDetective", he enjoys studying history, researching investment opportunities, writing novels, and playing Dungeons and Dragons with friends."