Cyberwar Bulletin: Iran and Albania

As the world still reels under the impact of the Ukraine-Russia cyberwar, yet another Cyberwar has started between Iran and Albania.  

Cybersecurity is today a serious threat. Critical infrastructure, government establishments, public sector companies, and policymakers are all repeatedly targeted by groups affiliated with nation-states. While a cyber war spawns disastrous consequences for the parties involved, the aftermath may lead to disrupting the business functions of those indirectly involved as well. In rare circumstances, unrelated organizations bear the brunt of mass, random rampages undertaken by organized cybercrime operators.

Iran-Albania Cyberwar Impact

The consequences of the recent Iran-Albania cyberwar started off with critical government service outages like the embassy portal and national websites. It soon spiraled into a full-blown diplomatic incident, cutting ties between the nations and prompting the USA to impose sanctions on Iran. Following this incident, a joint advisory was issued by cybersecurity bigwigs FBI, CISA, NSA, and the US Cyber Command, warning against Iranian threat actors.

 

Here is what the Prime Minister of Albania had to say about cutting off diplomatic ties with Iran:

 “This extreme response … is fully proportionate to the gravity and risk of the cyberattack that threatened to paralyze public services, erase digital systems and hack into state records, steal government intranet electronic communication and stir chaos and insecurity in the country.”

In the wake of the Iran-Albania cyberwar and the scare of further retaliation, Securin experts provide insights into Iranian threats that organizations need to watch out for. 

Attack Timeline

Firstly, let us look into a timeline of events that triggered the cyber war. The start of this war appears to go way back to 2014, when Albania gave shelter to an Iranian dissident group. More recently, the dissidents were supposedly involved in cyber attacks on the Iranian capital. The current war, however, escalated with Iran’s attempts to thwart the networks of Albania.

APT Groups that have played a role

Research suggests that the successful series of attacks on Albania is the handiwork of a cluster of APT groups, all originating from Iran. The attackers gained entry into networks via CVE-2019-0604, a SharePoint Server vulnerability, through which they exploited a misconfigured service account, and then went on to deploy ransomware, followed by wiper malware. The attackers were persistent in the compromised networks for months together, starting from October 2021 till May 2022, before launching full-fledged attacks.

CVE-2019-0604 is a critical severity vulnerability that exists in SharePoint servers and is capable of being remotely exploited to execute malicious code. The vulnerability is associated with the Iranian threat group DEV-0861, and the Chinese groups UNC215, and APT27 groups. The CVE is also associated with the Hello ransomware and has been part of our ransomware research since Q1 2021. We also called out the vulnerability in our blog on FireEye’s stolen pentesting tools back in 2020.

Here are the APT groups deemed responsible:

  • DEV-0133 / Lyceum (probing victim infrastructure)

  • DEV-0861 (initial access and data exfiltration)

  • DEV-0166 / IntrudingDivisor (data exfiltration)

  • DEV-0842 (deploying the ransomware and wiper malware)

 

DEV-0861 and DEV-0166 are believed to be linked to the OilRig group, also known by popular aliases like APT34, Charming Kitten and Phosphorus. The group has been around since 2011 and is known to target global companies of strategic importance to countries that are contrary to Iranian interests, and Energy-, Financial-, Government-, and Healthcare-related organizations, amongst others, in over 50 target countries.

A leaked tool used by APT34

Products that put you at risk

If you are a user of any of the below-mentioned products, upgrade to their latest versions without further delay. Specific versions of these products are associated with vulnerabilities connected to Iranian APT threats, amounting to 225 different product versions overall. Organizations with unpatched vulnerabilities are exposed to a high risk of compromise and continued persistence of threat actors in their network.

Vulnerabilities Exploited by Iranian Threat Groups

Securin researchers have collated a list of 28 vulnerabilities that have either previously been exploited by known Iranian APT groups, or were called out in the FBI advisory. With a high possibility of Iranian threat actors retaliating to the imposed sanctions, organizations are warned to check for exposures to these vulnerabilities and patch them before it is too late.

Vulnerabilities exploited by Iranian APT Groups

A notable call-out is CVE-2014-4114. Although an 8-year-old vulnerability, it has been previously exploited by four APT groups, and the Petya ransomware gang. It is of critical severity and is also featured in the CISA KEV. This could well turn out to be a dark horse in this war, considering the vulnerability’s age.

Securin has called out 24 of these vulnerabilities in our blogs and reports, of which 19 vulnerabilities with ransomware associations have also been warned about in our Ransomware Reports (first published in 2019).

We had also warned of these vulnerabilities in our Threat Intelligence blog (Sep 15, 2022) in light of the advisory released against Iranian threats. To receive such warnings informing of trending threats, sign up for our Weekly Threat Intelligence Newsletter.

 

The table below details the vulnerabilities, the products they exist in, mitigations, and highlights the early warnings provided by Securin regarding the danger these vulnerabilities pose.

 

Of the 28 vulnerabilities, 22 are already listed on the CISA KEVs. However, we would like to call out six vulnerabilities that are yet to make it to the list. We urge CISA to add these vulnerabilities to their catalog for organizations to take notice.

Vulnerability

CVSS Severity

Threat Actor Associations

CVE-2021-31196

High

Under Research

CVE-2021-31206

High

AvosLocker Ransomware

CVE-2021-33768

High

Under Research

CVE-2021-34470

High

Under research

CVE-2021-45046

Critical

MuddyWater, DEV-0270, and OilRig APT groups

CVE-2021-45105

Medium

Under Research

 

Indicators of Compromise

If you are worried about your networks being infiltrated by the Iranian threat groups, you can use the IoCs listed below to check for signs of intrusion in your network.

 

Have cyberwars now become a precursor to physical wars?

At the same time as the Iran-Albania war, a digital war has been looming in the western Balkan nations. A massive, coordinated cyberattack against Montenegro was launched by the Cuba ransomware group, a part of the Hive ransomware family. Public institutions from Kosovo were targeted in a largely unsuccessful cyber attack as well. The website of the Ministry of Education and Science in North Macedonia was hit as a result of yet another cyberattack.

Seven months ago, the Russia-Ukraine war began with back-and-forth cyber attacks by the two countries, which then turned into a full-blown physical war that is still going on. Are cyber wars soon becoming the first arsenal to be fired when two nations are up against each other? A cyber war could cripple critical entities, disarming the opposition of its primary weaponry in the event of a war.

 

Here are some measures we recommend that organizations adopt to catch such issues early on and secure their networks from cyber attackers.

  • Continuously identify exposures in attack surfaces that could allow for a network compromise –  including unpatched vulnerabilities, misconfigurations, and exposed ports.

  • Prioritize the vulnerabilities with a higher threat context first – these could be due to associations with ransomware or APT groups, or ones with a high likelihood of exploitation or impact potential.

  • Sign up for continuous pentesting or red teaming exercises to know the reality of your exposures and rid your network of the lapses that allow attackers to establish a strong foothold in your network.

 

“Proactive defense is the only way out for organizations to stay safe from cyber attacks. As seen from the Iran-Albania cyber war, unpatched vulnerabilities and misconfigurations can be deadly. Government entities and industrial control systems have a target drawn on their backs, and it is important to secure these assets to avoid disruption and chaos. Organizations need to continuously evaluate their security posture and know what their exposures are lest they fall prey to such attacks.”

Aaron Sandeen, CEO and Co-founder Securin

 

Share This Post On