CyberSecurity news
FlagThis
Anna Ribeiro@Industrial Cyber
//
Fortinet's FortiGuard Labs has revealed a multi-year, state-sponsored cyber intrusion targeting critical infrastructure in the Middle East. The intrusion, attributed to an Iranian APT group likely Lemon Sandstorm, began as early as May 2023, with potential traces back to May 2021, and went undetected for nearly two years. Attackers gained initial access through compromised VPN credentials, deploying multiple web shells and custom backdoors throughout the infrastructure.
This Iranian APT exhibited significant operational discipline, constantly rotating tools, infrastructure, and access methods to maintain their foothold. After gaining access, they installed backdoors such as HanifNet, HXLibrary, and NeoExpressRAT. The attackers used in-memory loaders for Havoc and SystemBC to avoid detection, plus custom loaders to execute malware directly in memory, avoiding disk-based detection.
Throughout the campaign, FortiGuard Labs identified at least five novel malware families, including HanifNet, NeoExpressRAT, HXLibrary, RemoteInjector, and CredInterceptor. The attackers also modified legitimate OWA JavaScript files to silently siphon credentials, disguising malicious scripts as legitimate traffic. The attackers used open-source proxy tools such as plink, Ngrok, Glider Proxy, and ReverseSocks5 to circumvent network segmentation.
References :
This Iranian APT exhibited significant operational discipline, constantly rotating tools, infrastructure, and access methods to maintain their foothold. After gaining access, they installed backdoors such as HanifNet, HXLibrary, and NeoExpressRAT. The attackers used in-memory loaders for Havoc and SystemBC to avoid detection, plus custom loaders to execute malware directly in memory, avoiding disk-based detection.
Throughout the campaign, FortiGuard Labs identified at least five novel malware families, including HanifNet, NeoExpressRAT, HXLibrary, RemoteInjector, and CredInterceptor. The attackers also modified legitimate OWA JavaScript files to silently siphon credentials, disguising malicious scripts as legitimate traffic. The attackers used open-source proxy tools such as plink, Ngrok, Glider Proxy, and ReverseSocks5 to circumvent network segmentation.
Share:
References :
- securityonline.info: Iranian APT Group Breaches Middle Eastern Critical Infrastructure in Stealth Campaign
- industrialcyber.co: Fortinet’s FortiGuard Labs uncovers multi-year state-sponsored cyber intrusion targeting Middle East critical infrastructure
- Virus Bulletin: Fortinet's IR team investigate an Iranian-led long-term intrusion on critical infrastructure in the Middle East. Attackers used stolen VPN creds, in-memory loaders for Havoc/SystemBC, and backdoors like HanifNet, HXLibrary, and NeoExpressRAT.
- securityonline.info: Iranian APT Group Breaches Middle Eastern Critical Infrastructure in Stealth Campaign
Classification:
- HashTags: #Cybersecurity #ICS #APT
- Company: Fortinet
- Target: Middle East Critical Infrastructure, NATO
- Attacker: Nebulous Mantis
- Feature: Cyber Espionage
- Malware: RomCom RAT
- Type: Espionage
- Severity: High