Since around November 2020, it has been observed that an Advanced Persistent Threat (APT) group that may be backed by Iran is deploying data erasure malware and ransomware attacks against Israeli organizations.
Researchers from SentinelOne this week attributed the attack to “Agrius,” a new threat participant that started with cyber espionage but has since focused on more destructive operations.
In many cases, threat actors disguised data erasure attacks as ransomware attacks-victims were told that even if the data was erased, their data was still stolen and encrypted.
SentinelOne noted in its blog: “The operators behind the attack deliberately masked their activities as a ransomware attack, which is a rare behavior for economically motivated groups.”
The Argius team’s preferred initial access strategy is to try and exploit known vulnerabilities in the organization’s public-facing web applications. CVE-2018-13379 is the favorite. It is a long-term patched path traversal vulnerability in some Fortinet FortiOS operating system versions. SentinelOne said its researchers have observed that the Agrius team has used the vulnerability extensively in opportunistic attacks on Israeli targets.
In addition to the FortiOS vulnerabilities, Agrius was also found to exploit (or attempt to exploit) various so-called “n-day” vulnerabilities or known vulnerabilities, and patches are already available or working. Security analysts believe that zero-day vulnerabilities are more dangerous than zero-day vulnerabilities, and even more dangerous than zero-day vulnerabilities. This is because of the public information surrounding these vulnerabilities for defenders and attackers. In some cases, the Argius team used SQL injection attacks to try to gain an initial foothold on the organization’s network. SentinelOne said that most of the attacks launched by Agrius came from IPs belonging to popular VPN services such as ProtonVPN.
Once Agrius gains access to the network, threat actors upload a Webshell and use it to enable lateral movement. In many cases, the web shell is a variant of ASPXSpy, which is a script that allows an attacker to gain control of a remote system. SentinelOne said it has observed threat actors deploying “IPsec Helper” (a custom backdoor program written in .NET) to steal data or deploy other malware on infected networks.
JA Guerrero-Saade, SentinelOne’s main threat researcher, said: “Agrius’ espionage and destructive activities go hand in hand.” Determine the data to be stolen.”
Thad said that once the attackers get what they want to protect, they will enter the stage of destruction. He pointed out that the use of taps (or tap attacks disguised as ransomware) makes Agrius a small part of the threat actors. Others include APT33, another threat group linked to Iran, Russia’s Sandworm and North Korea’s Lazarus Group.
At present, the focus of the Agrius Group seems to be the Middle East.
“[But] Thaad said: “There are no other restrictions other than their scheduled tasks.” Although we have not yet observed Agrius’s targeting of American organizations, we will not extend it beyond their scope.
Deadwood and Apostle Wiper Blades
SentinelOne said it has observed two types of tap malware used by the Agrius team. One of them is Deadwood, also known as Detbosit, which is a type of wiper associated with other Iranian groups such as APT33 and APT34. Some security vendors associate malware with destructive attacks on organizations in the oil and gas sector in the Middle East and other regions. In addition to Deadwood, Agrius also uses wipers that have not been associated with any other group so far. SentinelOne is labeling the tap as “Apostle” and believes that it may have been developed by the same malware author as the malware author behind the “IPSec Helper”.Since its initial development, Apostle has transformed into a full-featured ransomware tool
According to SentinelOne, the Agrius attack appears to be part of the Iranian government’s broader strategy, which deployed threat groups to conduct destructive attacks on hostile countries under the cover of ransomware. Another recent example is Project Signal, an effort with the Islamic Revolutionary Guard Corps of Iran. On the surface, Project Signal is also a financially motivated ransomware operation. On the other hand, Flashpoint recently pointed out that the organization may also use ransomware to cover up more destructive attacks.
Flashpoint pointed out: “Iran has a history of attempting to use cybercriminal TTPs to merge with non-state-sponsored malicious cyber activities to avoid attribution and maintain reasonable denial.”
Thad said it is difficult to determine the specific intentions of the Agrius team.
“[But] The timing of this activity coincided with the so-called tit-for-tat exchanges between Israel and Iran, including claims that Israel wiped out Iranian port facilities and that Israeli companies were in turn hit by ransomware that claimed to be of Iranian descent. “He says.
Jai Vijayan is an experienced technical journalist with more than 20 years of experience in the IT trade news field. He was recently a senior editor at Computerworld, responsible for information security and data privacy issues for the publication.In his 20-year journey…View the full bio