Cybereason Finds New Malware in Iranian Espionage Campaigns
Cybereason has discovered previously unidentified malware variants being leveraged in two separate Iranian state-sponsored cyber espionage operations targeting a wide range of organizations in multiple global regions.
Moses Staff is deploying ransomware against targets to inflict damage and hamper forensic investigations, while Phosphorus is joining-forces to inflict global damage partnering with the recently documented Memento ransomware group.
Moses Staff’s list of victims includes multiple countries and regions. Among them are Israel, Italy, India, Germany, Chile, Turkey, United Arab Emirates (UAE) and the United States.
Phosphorus has been spotted attacking research facilities in multiple regions such as the United States, Europe and the Middle East. The group is known to be behind multiple cyber espionage and offensive cyber attacks, operating in the interest of the Iranian regime, leveraging cyberwarfare in accordance with Iran’s geopolitical interests.
Assaf Dahan is Cybereason‘s senior director and head of threat research.
“There have been multiple reports about attacks carried out by these groups that were successful,” he said. “The damages can be quite severe if you take the consequences of such attacks into account. There are direct damages caused by the deployment of ransomware and the encryption of the files, which can jeopardize business continuity and prevent organizations from accessing their data, not to mention the damage caused by the act of stealing sensitive data. That data can be later used to facilitate further attacks or used for espionage purposes. Additionally, we have to take into account the leaking of the data that can cause huge reputational damage to the victims and even open the victims to lawsuits.”
Cybereason recommends a three-step approach for organizations to protect themselves.
“First, defenders and security teams should study our reports and extract all the indicators that we provide,” Dahan said. “We recommend focusing on understanding the modus operandi of these attackers and making sure that they can proactively hunt for signs of compromise, as detailed in our reports. Second, we recommend patching all endpoints, and especially critical servers, since the root cause of most of the attacks lies in unpatched systems (consider Microsoft Exchange servers, log4J and VPN clients). Finally, defenders should have a wholistic XDR platform that can detect correlated events from all parts of the network.”
