Top stories.
- Iran's decentralized cyber operations continue despite strikes on leadership.
- Cyberattack against Stryker wiped nearly 80,000 devices.
- EU sanctions Chinese and Iranian companies for allegedly supporting cyberattacks.
- DarkSword exploit chain compromises iOS devices.
- Law enforcement dismantles major IoT botnets.
Iran's decentralized cyber operations continue despite strikes on leadership.
US and Israeli strikes on Iran's Ministry of Intelligence and Security (MOIS) reportedly killed two individuals tied to state-backed cyber operations, but activity from affiliated hacking groups continues, Forbes notes. Among those killed were Mohammad Mehdi Farhadi Ramin, charged by the Justice Department in 2020 for hacking US aerospace and defense firms, and Seyed Yahya Hosseiny Panjaki, an intelligence official linked by the FBI to cyberattacks and terror plots. Panjaki reportedly headed the MOIS unit that handled state-affiliated hacktivist groups, including Handala.
Iranian cyberattacks have continued, however, due to the decentralized nature of Iran's cyber capabilities. Handala has since claimed responsibility for a major attack on US medtech firm Stryker, and another MOIS-backed group disrupted Albania's parliament this past Sunday. Western organizations and allies should be prepared for sustained cyber risk amid the ongoing kinetic conflict.
Cyberattack against Stryker wiped nearly 80,000 devices.
Stryker has shared details about the Handala-attributed cyberattack the company sustained last week, noting that the incident only affected the company's internal Microsoft corporate environment and did not involve any malware. This supports earlier reports that the attacker breached the organization's Intune account and remotely wiped employee devices. BleepingComputer cites a source as saying that the attacker compromised an Intune administrator account and then created a new Global Administrator account, then used Intune's wipe command to erase data on nearly 80,000 devices.
Stryker stresses that all of its medical products remain safe to use, since they operate independently of the company's network. The company added that it's working to restore systems that support manufacturing, ordering, and shipping.
Following the incident, the US Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory urging organizations to implement best practices to secure their Microsoft Intune instances. CISA echoes Microsoft's guidance for securing Intune, which includes implementing the principle of least privilege, using phishing-resistant multifactor authentication and privileged access hygiene, and enabling Multi Admin Approval in Intune for sensitive changes.
The US Justice Department announced Thursday night that it had seized four domains used by Handala for leaking operations.
EU sanctions Chinese and Iranian companies for allegedly supporting cyberattacks.
The European Union has imposed sanctions on two Chinese companies and one Iranian firm for allegedly supporting cyberattacks against EU member states and partners. The measures affect China-based Integrity Technology Group and Anxun Information Technology, along with Iran-based Emennet Pasargad. The EU also sanctioned the two cofounders of Anxun.
EU officials say Integrity facilitated the compromise of more than 65,000 devices across six countries between 2022 and 2023. Anxun allegedly provided hacking services targeting critical infrastructure. Emennet Pasargad is accused of breaching a French database, selling the data on the dark web, and conducting disinformation operations during the 2024 Paris Olympics.
The EU stated, "Those listed today under both regimes are subject to an asset freeze, and EU citizens and companies are forbidden from making funds, financial assets, or economic resources available to them. Natural persons also face a travel ban that prohibits them from entering or transiting through EU territories."
DarkSword exploit chain compromises iOS devices.
WIRED reports that a new iOS exploit chain and payload called "DarkSword" allows infected websites to silently compromise iOS devices that visit the sites. iVerify, Lookout, and Google jointly published their own reports on the technique yesterday. Google says the suspected Russian espionage group UNC6353 recently began using DarkSword in watering-hole campaigns targeting Ukrainian users.
Lookout explains, "DarkSword is a complete exploit chain and infostealer written in JavaScript. It leverages multiple vulnerabilities to establish privileged code execution to access sensitive information and exfiltrate it off the device. The kill chain begins with Safari encountering the malicious iframe embedded in a web page. Once loaded, Darksword breaks out of the WebContent sandbox and then leverages WebGPU to inject into mediaplaybackd. From there it can craft Kernel read/write access, which it leverages to gain access to privileged processes and modify sandbox restrictions, gaining access to restricted parts of the filesystem."
DarkSword is effective against devices running iOS 18 or earlier, meaning nearly a quarter of iPhones are vulnerable to the attack. iVerify cofounder and researcher Matthias Frielingsdorf notes that the Russian hackers who most recently used the exploit carelessly left the full code exposed on their sites, meaning "[a]nyone who manually grabbed all the different parts of the exploit could put them onto their own web server and start infecting phones."
Law enforcement dismantles major IoT botnets.
An international law enforcement operation has dismantled the infrastructure behind four IoT botnets that were used for massive DDoS attacks, KrebsOnSecurity reports. The US Justice Department, alongside law enforcement agencies in Germany and Canada, worked with the private sector to seize domains, virtual servers, and other infrastructure used by the botnets. The botnets—Aisuru, KimWolf, JackSkid, and Mossad Internet of Things—were composed of millions of IoT devices and had been used to launch record-breaking DDoS attacks. The Canadian and German law enforcement actions targeted the individuals who allegedly operated the botnets, though details haven't been released.
