At a glance.
- Charlie Hebdo breach attributed to Iranian threat actor.
- APT34 targets government organizations in the Middle East.
- HeadCrab malware compromises Redis servers.
Charlie Hebdo breach attributed to Iranian threat actor.
Microsoft has attributed the data theft attack sustained by French satire magazine Charlie Hebdo last month to the Iranian threat actor NEPTUNIUM (also tracked by the US government as "Emennet Pasargad"). The threat actor claims to have stolen personal information from 200,000 of Charlie Hebdo's customers, which Microsoft says "could put the magazine’s subscribers at risk of online or physical targeting by extremist organizations." NEPTUNIUM has published some of the data as proof, and is offering to sell the rest for 20 bitcoins (around $340,000).
Microsoft stated, "We believe this attack is a response by the Iranian government to a cartoon contest conducted by Charlie Hebdo. One month before Holy Souls conducted its attack, the magazine announced it would be holding an international competition for cartoons “ridiculing” Iranian Supreme Leader Ali Khamenei. The issue featuring the winning cartoons was to be published in early January, timed to coincide with the eighth anniversary of an attack by two al-Qa’ida in the Arabian Peninsula (AQAP)-inspired assailants on the magazine’s offices."
APT34 targets government organizations in the Middle East.
Trend Micro says the Iranian threat actor APT34 (also known as "OilRig" or "Helix Kitten") is using a new strain of malware to target government entities in the Middle East. The malware is designed to steal user credentials, and can send new credentials to the threat actor if the user changes their password.
The malware can exfiltrate data from compromised email accounts by sending the contents of the inbox to attacker-controlled email addresses. The researchers note, "While not new as a technique, this is the first instance that APT34 used this for their campaign deployment. Following this analysis, it is highly likely that this campaign’s routine is only a small part of a bigger chain of deployments."
HeadCrab malware compromises Redis servers.
Aqua Security describes a new strain of malware targeting Redis servers. The malware, dubbed "HeadCrab," has compromised at least 1,200 servers so far. While HeadCrab can gain full control over a server, its operator has apparently so far only used it for cryptomining with XMRig. The developer left a note inside the malware stating that its purpose is "to bring unconditional basic income to ppl with some disadvantages." Aqua stresses, however, that the malware is sophisticated and stealthy:
"The malware has been designed to bypass volume-based scans as it runs solely in memory and is not stored on disk. Additionally, logs are deleted using the Redis module framework and API. The attacker communicates with legitimate IP addresses, primarily other infected servers, to evade detection and reduce the likelihood of being blacklisted by security solutions. The malware is primarily based on Redis processes which are unlikely to be flagged as malicious. Payloads are loaded through memfd, memory-only files, and kernel modules are loaded directly from memory, avoiding disk writes. Our analysis has also found that there are no detections of these binaries as malicious on Virus Total."