Archive for Iran

Iranian APT MuddyWater Disguise Their Operations as a Chaos Ransomware Attack

Posted in Commentary with tags , on May 7, 2026 by itnerd

Iranian APT MuddyWater has been found disguising their operations as a Chaos ransomware attack leveraging Microsoft Teams social engineering to infiltrate organizations. 

The campaign was characterized by a high-touch social engineering phase conducted via Microsoft Teams, where the attackers utilized interactive screen-sharing to harvest credentials and manipulate Multi-Factor Authentication (MFA). Once inside, the group bypassed traditional ransomware workflows, forgoing file encryption in favor of data exfiltration and long-term persistence via remote management tools like DWAgent. This report deconstructs the infection chain and analyzes the custom “Game.exe” Remote Access Trojan (RAT).

Additionally, this explores the process by which MuddyWater is increasingly leveraging the cybercriminal ecosystem to provide plausible deniability for geopolitical espionage and prepositioning, particularly in the US. The strategy highlights the convergence between state-sponsored intrusion activity and criminal tradecraft, where a big “tell” lies in the techniques that were deployed – and those that weren’t.

This overall strategy suggests the primary goal was not financial gain. It is also further proof of the lines blurring against the background of geopolitical tensions, and that attribution is becoming more difficult if teams do not take it upon themselves to conduct proper and thorough research.

More details here: https://www.rapid7.com/blog/post/tr-muddying-tracks-state-sponsored-shadow-behind-chaos-ransomware/

Ensar Seker, CISO at threat intel company SOCRadar, commented:

“The MuddyWater activity is another example of how state-aligned threat actors increasingly blur the line between cybercrime and cyber-espionage. Using Chaos ransomware as a decoy, provides plausible deniability while also distracting incident responders into treating the intrusion as financially motivated cybercrime instead of a long-term intelligence collection operation. This tactic complicates attribution, delays strategic response decisions, and increases confusion during the critical early stages of an investigation.

The Microsoft Teams social engineering component is particularly notable because collaboration platforms are becoming one of the most effective initial access vectors. Employees inherently trust internal communication tools, and attackers understand that exploiting human familiarity inside business collaboration environments often bypasses traditional email-focused security controls. Organizations should treat Teams, Slack, and similar platforms as high-risk attack surfaces, applying the same monitoring, user awareness, and identity protection strategies traditionally reserved for email and VPN infrastructure.”

Threat actors come in all shapes and sizes. Thus as Mr. Seker says, consider everything to be a potential threat. And I would add to that the fact that nothing should be trusted.

Leave a comment »

U.S. agencies warn of Iranian hackers targeting water and energy systems

Posted in Commentary with tags , on April 9, 2026 by itnerd

Following up on this alert from the FBI, U.S. cybersecurity and intelligence agencies, including the FBI, NSA, and CISA, have issued a joint warning that Iranian-linked hackers are actively targeting critical infrastructure across the United States, with a focus on water, wastewater, energy, and government systems.

The activity has escalated since last month, with confirmed incidents resulting in operational disruptions and financial losses.

The attacks specifically target internet-exposed programmable logic controllers and industrial control systems used to operate infrastructure, including Rockwell/Allen-Bradley devices. Threat actors have been observed manipulating system data and extracting project files, with the stated intent of causing disruptive effects within U.S. systems.

Officials said the campaign spans multiple sectors and organizations nationwide, though the total number of impacted entities has not been disclosed. The advisory was issued by a coalition of federal agencies, including the Department of Energy and U.S. Cyber Command, as investigations into the activity remain ongoing.

Sunil Gottumukkala, CEO, Averlon:

   “ICS security matters because it underpins physical operations, so a compromise can mean real-world disruption, not just data loss. Many of the systems being targeted were never designed to be secured or updated at the pace modern threats require, and they still rely on legacy infrastructure where monitoring is limited and patching isn’t always feasible without operational impact.

   “Even when these systems aren’t directly exposed, they’re often connected through upstream systems, remote access, or vendor pathways that attackers can leverage as part of a broader attack chain. As threat activity increases and AI accelerates reconnaissance and exploit development, the response window continues to shrink while the ability to safely respond remains constrained.”

Damon Small, Board of Directors, Xcape, Inc.:

   “The targeted disruption of US water and energy utilities is the inevitable outcome of treating critical national infrastructure like a public Wi-Fi hotspot. By leveraging legitimate engineering tools like Rockwell’s Studio 5000 to manipulate project files, Iranian-linked actors have demonstrated that an Internet-exposed programmable logic controller (PLC) is not a poor technical design – it is a pre-staged kinetic weapon. Security leaders must acknowledge that these “nuisance” disruptions are live-fire exercises for more catastrophic escalations that exist entirely outside the bounds of diplomatic ceasefires. The primary business risk has shifted from simple uptime to the physical safety of the communities these utilities serve.

   “Teams must immediately pull every PLC off the public Internet and isolate them behind a Zero Trust gateway or authenticated VPN. For Rockwell CompactLogix and Micro850 series devices, operators should physically set the controller mode switch to the RUN position to block remote logic changes. Organizations must audit for exposed industrial ports such as 44818 and 2222 and rotate all default credentials across the OT environment. Failing to remove these systems from public view is an open invitation for geopolitical adversaries to use your operational uptime as a diplomatic bargaining chip. 

   “In short, the cease-fire will not stop our adversaries from attacking the United States’ critical infrastructure, and this will lead to the unavailability of these services, or worse, to incidents that lead to loss of life and limb.

   “If your water treatment plant or refinery is searchable on the Internet, you are not running a utility; you are hosting a digital sandbox for the IRGC.”

Denis Calderone, CTO, Suzu Labs:

   “When CyberAv3ngers hit Unitronics PLCs back in 2023, it looked like hacktivism. They put political messages on water system displays and moved on. What today’s six-agency advisory describes is different. We warned in March that organizations in energy, water, and government should be actively hunting for pre-positioned access. Today’s advisory confirms that’s exactly what’s been happening, and in some cases has already caused operational disruption and financial loss.

   “Today, we’re seeing the threat actors conducting fairly surgical operations, using Studio 5000 Logix Designer, which is Rockwell Automation’s own PLC programming software, to interact with CompactLogix and Micro850 controllers at the file object level. They’re extracting the programming logic that controls physical processes and manipulating data on HMI and SCADA displays. Think about what that means for a water treatment operator or a power plant engineer. If your display is showing you normal pressure, flow, or chemical dosing levels and the actual values are different, you’re making operational decisions based on false data. That’s how equipment damage and safety incidents happen.

   “Now, the advisory specifically calls out Rockwell Automation and Allen-Bradley, and that makes sense because Rockwell holds roughly 35 to 40 percent of the US PLC market. But don’t let the Rockwell focus distract you. The indicators of compromise in the advisory include traffic on port 102, which is S7comm, and that’s a Siemens protocol. The advisory itself says ‘potentially other branded PLCs’ are at risk.

   “If you’re running Siemens, Schneider, or any other PLC platform and assuming this doesn’t apply to you, look at the port list again: 44818 for EtherNet/IP (Rockwell and others), 102 for S7comm (Siemens), 502 for Modbus (most PLCs). Those protocols are from multiple manufacturers, proving that this is more than just a Rockwell problem.

   “The prescriptive advice here is straightforward. PLCs should never be directly accessible from the internet, period. The advisory confirms that the attackers are simply connecting to internet-exposed devices using overseas IP addresses. But internet isolation alone isn’t enough. Controllers and SCADA infrastructure should sit behind properly segmented OT network zones with monitored firewall boundaries between IT and OT environments.

   “If you have PLCs on flat networks that IT workstations can reach directly, you have a problem. Modbus TCP has essentially zero security controls built in. That protocol originates from 1979 when these were closed systems. Review logs now for suspicious traffic on ports 44818, 2222, 102, 22, and 502. And if you’re running Rockwell devices, reach out to Rockwell through their existing support channels for specific mitigation guidance tied to this advisory.”

The fact that all these agencies are warning about this should show you how serious this problem is. And to be clear, this is a today problem that requires immediate action. Otherwise really bad things will happen.

Leave a comment »

The Director Of The FBI Has Had His Email Pwned By Iranian Hackers

Posted in Commentary with tags , , on March 30, 2026 by itnerd

The Iranian hacker group Handala has claimed another victim. After pwning this company, Handala has now apparently pwned the personal email account of FBI director Kash Patel. Cybernews suggests that this is in revenge for the FBI taking down the group’s leak site.

“Today, once again, the world witnessed the collapse of America’s so-called security legends. While the FBI proudly seized our domains and immediately announced a $10 million reward for the heads of Handala Hack members, we decided to respond to this ridiculous show in a way that will be remembered forever,” the group wrote on its new leak site.

“All personal and confidential information of Kash Patel, including emails, conversations, documents, and even classified files, is now available for public download” Handala claimed, also boasting about the alleged “get” on its now 42nd Telegram channel.

The posted samples include nine personal photos of Patel and an alleged resume belonging to the FBI head.

The FBI has basically admitted that this is real, and if you’re Patel or the FBI, this has to be highly embarrassing. But honestly, I think that’s the least of their problems. Handala is clearly on a rampage and I fully expect to see more pwnage from this group over the coming weeks seeing as they are an Iran aligned group and will likely want to “flex” for those in the Iranian regime who back them.

Leave a comment »

Flashpoint update on Middle East conflict

Posted in Commentary with tags , on March 2, 2026 by itnerd

Flashpoint analysts continue to monitor the conflict, which transitioned between March 1-2 from a phase of initial mass exchange to a more complex, globally-attuned escalation involving a significant widening of kinetic and non-kinetic attack domains. New strikes directly targeted economic and logistical critical infrastructure in Gulf States, notably a major Saudi oil facility and an AWS data center in the UAE. A major escalation occurred on the Israel-Lebanon border as Hezbollah launched missile strikes, leading to an immediate and widespread Israeli response across Lebanon. The cyber domain witnessed new, alarming claims of intrusion into industrial control systems (ICS) and national grain supply logistics. The international community, specifically the UK, France, and Germany, signaled a willingness to join military action to destroy Iran’s missile capabilities, indicating a high probability of further conflict expansion.

Key Takeaways 

  1. Critical Economic Infrastructure is Now a Primary Target: Iran’s retaliatory strikes escalated to include direct hits on Saudi Arabia’s Aramco facility at Ras Tanura and a significant AWS data center in the UAE, signaling a shift to severe economic warfare and a higher risk for global energy supply.
  2. Conflict Has Expanded to a New Front: Hezbollah’s launch of missiles from Lebanon has resulted in Israeli strikes across all of Lebanon, including Beirut’s southern suburbs, effectively opening a second major kinetic front that increases the potential for a regional ground war.
  3. Cyberattacks Target Essential Civilian Logistics: Pro-Iranian hacktivist groups claimed successful, highly disruptive intrusions into a major Jordanian grain silo company’s control systems, including alleged manipulation of temperature controls and weighing systems, moving beyond simple defacements and signaling a direct threat to food security.
  4. NATO-Aligned Assets Now at Risk: An unmanned Iranian drone reportedly struck the runway of the RAF Akrotiri base in Cyprus, and Iran has allegedly targeted military assets in 15 countries on March 1. This new level of aggression brings NATO-aligned entities in the Eastern Mediterranean into the immediate crossfire.
  5. International Coalition Formation: The UK, France, and Germany are now actively considering military action to destroy Iran’s missile and drone capabilities, creating a defined coalition ready to intervene militarily and further isolating the Iranian regime.

Key Events

  • Saudi Oil Strike: Iranian Shahed-136 drones reportedly strike the Saudi Aramco facility at Ras Tanura, one of the world’s largest oil refining and export facilities.
  • UAE Infrastructure Strike: Amazon Web Services (AWS) confirmed its data center in the UAE (mec1-az2) was temporarily impacted by physical objects striking the facility, creating sparks and fire, forcing a service disruption.
  • UK Base Strike: An unmanned drone strikes the runway of the UK’s RAF Akrotiri base in Cyprus (later confirmed by the UK Foreign Secretary).
  • Lebanese Front Opens: The Israel Defense Force (IDF) confirmed that Hezbollah fired missiles from Lebanon, prompting immediate and extensive Israeli retaliatory strikes across all of Lebanon.
  • US Readiness for Suicide Attacks: US officials prepare for potential suicide attacks and further retaliatory missile strikes targeting American facilities and personnel, with primary concerns centered around Tel Aviv, Jerusalem, and Qatar.
  • US Strike Volume: US Central Command (CENTCOM) reports that over 1,000 targets were struck across Iran in the first 24 hours of Operation Epic Fury.
  • Interim Leader Targeted (Unconfirmed): Israeli media report the possible killing of Iran’s newly appointed interim supreme leader, Ayatollah Alireza Arafi, in fresh strikes on Tehran.
  • European Response: The UK, France, and Germany issue a statement indicating they are prepared to carry out military action to destroy Iran’s missile and drone launch capabilities.
  • Advanced Weaponry Deployment: Israel reportedly deploys the high-powered “Iron Beam” laser system for the first time in combat to intercept incoming rockets.
  • Cyber Resurgence: Mr Soul, a persona linked to the sanctioned Iran state-linked group CyberAv3ngers, announces their return to operations, although some reports suggest a lull in broader Iranian cyber activity.

Cyber Threats & Attacks

The focus shifted from mass-propaganda operations to high-impact, disruptive attacks on critical infrastructure and defense systems:

  • Industrial Control System (ICS) Targeting: The “Cyber Islamic Resistance Axis” claimed penetration of over 130 remote control systems belonging to Control Applications LTD in Israel and other countries.
  • Logistics Sabotage: Pro-Iranian actors detailed a successful intrusion into the Jordan Silos and Supply General Company, claiming they gained access via phishing.
  • Government/Commercial Disruption: Attacks continued against government and commercial entities in Gulf states, including DDoS and data breach claims against the Bahrain Communications Regulatory Authority, Dubai Medical City, and the Zayed Charitable & Humanitarian Foundation.
  • Threat Actor Status: Mr Soul (CyberAv3ngers-linked) announced a return to operations, while general cyber operations from Iranian groups saw a temporary, noticeable lull.

Physical Threats to Western Entities

The risk profile for Western assets in the region has significantly escalated beyond military installations:

  • Oil Infrastructure: The strike on the Saudi Aramco facility at Ras Tanura demonstrates that key Western-partnered economic infrastructure is now a legitimate, high-value kinetic target.
  • Cloud Infrastructure: The physical strike on the AWS data center in the UAE signifies that commercial technology and data assets are no longer safe from kinetic damage.
  • Contagion Risk: The escalation on the Israel-Lebanon front and the confirmed strike on the RAF Akrotiri base in Cyprus indicates a broadening geographical threat, placing personnel at bases like Souda Naval Base (Crete) and other NATO assets on high alert.
  • Personnel Security: US officials are preparing for the threat of suicide attacks targeting American facilities and personnel abroad, particularly in Tel Aviv, Jerusalem, and Qatar, necessitating a maximum threat posture.

Security Recommendations

  • Elevate Security Posture for Critical Infrastructure (Gulf): Businesses operating energy, logistics, or technology infrastructure in the Persian Gulf (especially Saudi Arabia, UAE, Qatar, and Bahrain) must immediately activate maximum security and contingency protocols and review physical security for assets like oil facilities, data centers, and major ports.
  • Review ICS Security: Organizations with Industrial Control Systems (ICS) and SCADA systems in the region must conduct a priority-one audit of remote access and phishing vulnerabilities, given the demonstrated capability of adversaries to target and claim control over such systems (e.g., Jordanian silos).
  • Implement Anti-Drone/C-UAS Measures: Deploy experienced counter-UAS operators (or partner with the UK to access the promised Ukrainian assistance) to address the persistent and expanding threat from Iranian drones (e.g., Ras Tanura strike, RAF Akrotiri strike).
  • Personnel Threat Assessment: All personnel in the Gulf region, especially in major transit/security hubs (Riyadh, Qatar, UAE), should be advised of the heightened risk of asymmetric attacks (e.g., suicide attacks) and instructed to strictly follow all government security alerts, avoiding public uniform display and high-profile locations.
  • Supply Chain Contingency: Implement Tier 1 contingency planning for global supply chains, assuming an extended closure of the Strait of Hormuz and continuous disruption of major Gulf air and sea hubs.

Strategic Outlook

The strategic outlook is one of maximum instability, marked by a critical escalation where the conflict is spiraling outward both geographically and functionally. Iran’s shift in strategy from purely military retaliation to economic decapitation is evident in the strikes on Saudi Arabia’s Ras Tanura oil facility and an AWS data center in the UAE, signaling a profound threat to global energy and technology supply chains. Furthermore, the conflict has opened a second kinetic front in Lebanon due to Hezbollah’s missile strikes, and is becoming dangerously internationalized as key European powers (UK, France, Germany) signal a readiness for military action to destroy Iran’s missile capabilities. This complex and widening hybrid war now includes high-impact, asymmetric threats like the potential for terror attacks and cyber intrusions against essential civilian logistics, making the de-escalation path extremely challenging.

Though this is slightly late, there is a Flashpoint Community Call Planned for Monday, March 2, 2026 at 11 AM EST: U.S.–Israel Military Strikes on Iran and Tehran’s Regional Retaliation | Flashpoin

Leave a comment »

Iranian Cyber Actions, Threats, Mitigation Recommendations 

Posted in Commentary with tags on March 2, 2026 by itnerd

Given the fact that Iran was attacked by the US and Israel over the weekend, and Iran is a known bad cyber actor, it’s time to have a discussion about what threats that Iran can pose. Thus I have four experts to share their thoughts on this important topic.

Ted Miracco, CEO, Approov:

    “A silent prelude to attacks has been conducted via API probing. While much of the public focus is on the military strikes, the digital battlefield has been simmering for weeks. In the fortnight leading up to this weekend’s events, Approov observed a significant surge in highly sophisticated probing attacks against APIs and mobile applications that provide critical communication links for regional governments. These sophisticated maneuvers were specifically designed to evade initial defenses. We have analytical indications that the presumed Iranian actors were scouting and gauging regional infrastructure vulnerabilities. Fortunately, by deploying over-the-air (OTA) software updates to the apps and new policies to the cloud, we were able to harden these apps before the probes could turn into full-scale service interruptions or data breaches.

   “Groups like the CyberAvengers have already proven that our water and power systems are vulnerable through the hardware and mobile interfaces that control them. Depending on who is in power, we could expect a ‘scorched earth’ approach next. Currently, Iran’s domestic cyber infrastructure is in a defensive crouch following the massive digital blackout. As they regain control, they will likely move from probing or persistence to destruction. This means moving beyond standard DDoS attacks to wiper malware and API-based disruptions that could cripple the mobile apps global users rely on for everything from banking to emergency alerts. The sophistication we saw in the Gulf suggests they are capable of striking once they recover their footing. It will only matter who gives the orders, as whatever penetrations they could pull off were completed before the first strike occurred.”

Jacob Warner, Director of IT, Xcape, Inc.

    “During open conflict, Iran has historically favored asymmetric cyber tactics. These tactics are deniable, disruptive, and psychologically impactful rather than those that are overtly destructive. U.S. critical infrastructure – especially water utilities, energy operators, healthcare systems, telecommunications, the media, and regional government networks – could experience increased attacks.

    “These include DDoS campaigns, ransomware attacks, spear phishing, and disruptive intrusion attempts aimed at undermining public confidence. Groups like CyberAv3ngers have previously targeted poorly secured industrial control systems (ICS). This indicates a continued interest in operational technology (OT) environments with low cybersecurity maturity. We might also observe website defacements, data leaks, or influence operations intended to heighten domestic political and social tensions.

    “The Iranian regime has a history of suppressing pro-democracy communications. They do this by throttling Internet bandwidth, blocking major platforms, and shutting down mobile data networks during unrest. For private sector organizations, resilience should be the priority: patch vulnerable systems, enforce multi-factor authentication, segment operational technology (OT) from information technology (IT) networks, and practice incident response playbooks.

   “Lastly, users everywhere need to be reminded to be aware of unsolicited emails so that they can avoid compromising their organizations through susceptibility to phishing.”

Denis Calderone, Principal and CTO, Suzu Labs 

   “Recent trends have most analysts keeping focus on DDoS and ransomware right now, and those are real concerns. But what’s been concerning us more is the stuff we can’t see. Iran’s most capable espionage group, APT34, has gone completely quiet during the most significant crisis in their country’s modern history. We worry that it might just mean they’re getting ready.

   “Since it appears that conventional military options are looking increasingly to be off the table, cyber is what Iran has left. And even with their own internet down, pre-positioned implants and operators based outside Iran can still execute. If you’re in energy, water, financial services, or defense, assume you’re a target. Start hunting for anomalous access in your environment now. Don’t wait for something to break.

   “European organizations need to pay attention here too. Iran’s cyber operations don’t stop at US borders, and the proxy groups operating on Iran’s behalf are even less predictable in their targeting. When the motivation is retaliation and the conventional military is gone, cyber operators cast a wide net.

   “The immediate concern for European critical infrastructure is wiper malware. We’re already seeing reports of wiper deployments against Western financial and energy firms from Iranian proxy groups, and although many of these have been traditionally against Israeli targets, there’s no reason to suggest that targeting won’t expand with recent developments. If you’re in energy or critical infrastructure, treat this as a heightened threat period. Review your incident response plans, make sure your backups are isolated and tested, and pay close attention to any unusual activity in your OT environments. This is not a drill.”

Hom Bahmanyar, Global Enablement Officer, Ridge Security, Inc.

    “There is a significant possibility that Iran’s Islamic regime would respond to US and Israeli military strikes with large-scale cyberattacks, particularly given its inability to match the conventional military capabilities of the US and Israel. Cyber operations may be viewed by the regime as a more attainable and potentially effective means of retaliation compared to military confrontation.

    “Based on the regime’s past practice of imposing internet shutdown to restrict the flow of information during internal crises or domestic unrest, such as the January crackdown on protesters, the current nationwide internet blackout and reduction in connectivity to 4% as reported by NetBlocks is likely a deliberate government response to make it more difficult for pro-democracy forces to communicate with the outside world, rather than the direct result of Israel’s cyberattacks on their infrastructure.”

Leave a comment »

DHS Drops Warning About Iran Launching Cyberattacks Against The US

Posted in Commentary with tags , on June 23, 2025 by itnerd

DHS NTAS Bulletin is out that everyone should read given the escalated situation between the US and Iran:

The ongoing Iran conflict is causing a heightened threat environment in the United States. Low-level cyber attacks against US networks by pro-Iranian hacktivists are likely, and cyber actors affiliated with the Iranian government may conduct attacks against US networks. Iran also has a long-standing commitment to target US Government officials it views as responsible for the death of an Iranian military commander killed in January 2020. The likelihood of violent extremists in the Homeland independently mobilizing to violence in response to the conflict would likely increase if Iranian leadership issued a religious ruling calling for retaliatory violence against targets in the Homeland. Multiple recent Homeland terrorist attacks have been motivated by anti-Semitic or anti-Israel sentiment, and the ongoing Israel-Iran conflict could contribute to US-based individuals plotting additional attacks.

Tom Pace, former Head of Cyber for the Department of Energy (DoE) and current CEO of NetRise, provides his thoughts on what CISOs in the US are doing to prepare for potential retaliatory cyberattacks by Iran:

CISOs are moving quickly to prepare for potential Iranian retaliation in cyberspace by tightening access controls, validating backups, and watching for TTPs tied to groups like APT33 and APT34, which are tied to Iran. Coordination with ISACs and federal partners is essential to stay current on threat intelligence and emerging attack patterns.

This moment reinforces the urgency of visibility to know what code is running where, what it’s connected to, and whether it’s vulnerable or end-of-life. Software supply chain security is no longer an abstract concept. It’s a frontline defense against adversaries who exploit opaque systems. CISOs are asking: if Iranian actors drop a custom wiper tomorrow, would we know which systems could execute it?

Iran is going to be targeting low-hanging fruit vulnerabilities that they know they can exploit, or target outdated SOHO routers and infrastructure for the purposes of creating low to moderate scale botnets.

China tends to have very explicit goals and outcomes that they are pursuing, which tend to center around intelligence gathering and positioning. Iran may be looking to cause more destruction, given the attacks on their country. These targets may be small and incapable of defending themselves and hold little to no strategic value, but Iran needs to have a response that provides the illusion that they are a competent actor on the world stage.

This threat while being directed at the US may spill over to countries that are aligned with the US. Thus if you’re responsible for defending your organization from cyberattacks, consider this a heads up to redouble your efforts regardless of where you are.

1 Comment »

Iranian Backed Threat Actors Evolve To Become More Dangerous

Posted in Commentary with tags , on February 2, 2022 by itnerd

Researchers with Cybereason have discovered the notorious Iranian Charming Kitten has adapted new tools and evasion tactics, including a backdoor they dubbed the “PowerLess Backdoor”. The team also identified links between Charming Kitten and the Memento ransomware that emerged last year. Charming Kitten’s continuous evolution of its capabilities has been well-documented, so its new tools and potential to branch out in terms of the type of attacks it can deliver should come as little surprise to anyone.

Saryu Nayyar, CEO and Founder, Gurucul had this to say:

“This discovery points to the fact that organizations are reliant on vendors to research and find new attacks and variants that are meant to evade current solutions. XDR and traditional SIEMs, even with analytics or claim of machine learning (ML) and Artificial Intelligence (AI) are too dependent on rule-based engines and trigger-based alerting to security events. This is not a recipe for success in quickly adapting to new variants that sophisticated threat actors are constantly creating with minimal effort. Not only does one of these vendors need to discover the new attack, but they also need to disclose the research to the public and other vendors that are made aware need to scramble to update their analytics and engines. The proper implementation of self-learning ML/AI that can more effectively adapt to new attack patterns and multi-stage methods across long periods of time without always needing updates that can take days or weeks after the attack has already been used in the wild. It is critical for organizations to research and deploy vendors with proper ML/AI along with user and entity behavior analytics (UEBA) in order to stay ahead of these emerging threats as vendors try to play catch-up.”

Organizations need to constantly be on their toes and create “a strong security culture” so they aren’t caught unawares by novel tactics used by groups like Charming Kitten and other highly organized threat groups. This this report should be required reading.

Leave a comment »

How Does Iran Deal With A COVID-19 Outbreak? Cut Off Internet Access Of Course

Posted in Commentary with tags on March 6, 2020 by itnerd

COVID-19 is a really big deal these days. And when a potential pandemic is on your doorstep, it usually is a good idea to get as much information out there to stop panic from setting in. However Iran doesn’t see things like that according to Motherboard:

Moments after Iran announced that a top adviser to Iran’s Supreme Leader had died as a result of the coronavirus, the government blocked access to the Persian version of Wikipedia.

The restrictions remained in place for 24 hours, though an oversight by the government meant that while the desktop version of the site was blocked, the mobile version remained available.

Access to the Farsi version of Wikipedia was restored on Tuesday, but social media sites like Twitter and Facebook remain restricted inside the country as of Wednesday, as the government seeks to control the spread of information and keep a grip on the narrative around the increasingly deadly outbreak.

Charming. But this is in line with dictatorships like Iran who see cutting off Internet access in whole or in part as a great way to maintain control. Except it isn’t a great way to maintain control because:

  1. I’m writing a story on this right now which brings attention to their behavior.
  2. It’s a safe bet that people are circumventing blocks like this which means it’s ineffective.
  3. It makes the regime in Iran look like they have something to hide. Like a higher COVID-19 death toll for example.

In other words, they just illustrated the Streisand Effect. Which is if you try to hide something, all it does is bring more attention to it. Which makes their efforts a #Fail.

Leave a comment »

Now Telegram Is Banned In Iran

Posted in Commentary with tags , on May 1, 2018 by itnerd

After being banned in Russia, it now turns out that Iran is banning the messaging service Telegram:

“Considering various complaints against the Telegram social networking app by Iranian citizens, and based on the demand of security organizations to confront the illegal activities of Telegram, the judiciary has banned its usage in Iran,” state TV reported.

“All Internet providers in Iran must take steps to block Telegram’s website and app as of April 30,” the judiciary website Mizan quoted a court order as saying.

The court order, according to Mizan, said Iran’s security had been threatened by Telegram as it had been used to mobilize many anti-government protests. 

Mizan said: “Those actions included propaganda against the establishment, terrorist activities, spreading lies to incite public opinion, anti-government protests and pornography.”

The ban apparently affects millions and may be connected to the Trump Administration’s threat to exit the nuclear weapons deal that was signed in 2015. Regardless, we’ll have to see how this plays out.

Leave a comment »