[BreachExchange] Iranian cyberspies leave training videos exposed online

Destry Winant destry at riskbasedsecurity.com
Tue Jul 21 10:35:06 EDT 2020


https://www.zdnet.com/article/iranian-cyberspies-leave-training-videos-exposed-online/

One of Iran's top hacking groups has left a server exposed online
where security researchers say they found a trove of screen recordings
showing the hackers in action.

Discovered by IBM's X-Force cyber-security division, researchers
believe the videos are tutorials the Iranian group was using to train
new recruits.

According to X-Force analysts, the videos were recorded with a
screen-recording app named BandiCam, suggesting they were recorded on
purpose and not accidentally by operators who got infected by their
own malware.

VIDEOS SHOWED BASIC ACCOUNT HIJACKING TECHNIQUES

The videos showed Iranian hackers performing various tasks and
included steps on how to hijack a victim's account using a list of
compromised credentials.

Email accounts were primary targets, but social media accounts were
also accessed if compromised account credentials were available for
the target.

X-Force described the process as meticulous, with operators accessing
each and every victim account, regardless of how unimportant the
online profile.

This included accessing a victim's accounts for video and music
streaming, pizza delivery, credit reporting, student financial aid,
municipal utilities, banks, baby product sites, video games, and
mobile carriers, according to IBM X-Force. In some cases, operators
validated credentials for at least 75 different websites across two
individuals, they said.

Hackers accessed each account's settings section and searched for
private information that might not be included in other online
accounts as part of their efforts to build a profile as complete as
possible about each target.

IBM didn't detail how the hackers obtained the credentials for each
victim. It is unclear if the operators had infected the targets with
malware that dumped passwords from their browsers, or if the operators
had bought the credentials off the underground market.

OTHER VIDEOS SHOWED HOW TO EXPORT ACCOUNT DATA

In other videos, the operator also went through the steps to
exfiltrate data from each account. This included exporting all account
contacts, photos, and documents from associated cloud storage sites,
such as Google Drive.

X-Force researchers say that in some cases, the operators also
accessed a victim's Google Takeout utility to export details such as
the full content of their Google Account, including location history,
information from Chrome, and associated Android devices.

Image: IBM X-Force

When all was done, the operators also added the victim's email
credentials to a Zimbra instance operated by the Iranian group, which
would allow the hackers to remotely monitor multiple accounts from one
backend panel.

Other videos also showed the operators engaged in creating puppet
email accounts that X-Force researchers believe the hackers would use
for future operations.

2FA BLOCKED INTRUSIONS

X-Force says it was able to identify and later notify some of the
victim accounts portrayed in the videos, which included an enlisted
member of the United States Navy, as well as an officer in the Greek
Navy.

The videos also showed failed attempts to access target accounts, such
as the accounts of US State Department officials.

The videos where the account compromise attacks failed were usually
for accounts that used two-factor authentication (2FA), researchers
said in a report shared with ZDNet this week.

SERVER AND TRAINING VIDEOS LINKED TO ITG18/APT35

X-Force researchers said the server where they found all these videos
was part of the attack infrastructure of an Iranian group they have
been tracking as ITG18, but more commonly known as Charming Kitten,
Phosphorous, and APT35.

The group has been one of Iran's most active state-sponsored hacking
crews. Some of the group's more recent campaigns include attacks
against a 2020 US presidential campaign but also US pharmaceutical
executives during the COVID-19 pandemic.

Past ITG18/APT35 campaigns have also targeted US military, US
financial regulators, and US nuclear researchers -- areas of interest
for the Iranian state due to the mounting military tensions between
the two countries, the economic sanctions imposed on Iran, and Iran's
expanding nuclear program.


More information about the BreachExchange mailing list