fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

New destructive Meteor wiper malware used in Iranian railway attack

New destructive Meteor wiper malware used in Iranian railway attack

A new file wiping malware called Meteor was discovered used in the recent attacks against Iran’s railway system.

Earlier this month, Iran’s transport ministry and national train system suffered a cyberattack, causing the agency’s websites to shut down and disrupting train service. The threat actors also displayed messages on the railway’s message boards stating that trains were delayed or canceled due to a cyberattack.

Some of these messages told passengers to call a phone number for more information, which is for the office of Supreme Leader Ali Khamenei.

Also Read: 4 Reasons Why You Need an Actively Scanning Antivirus Software

Hackers posting messages to the railway's message boards
Hackers posting messages to the railway’s message boards
Source: Twitter

In addition to trolling the railway, the threat actors locked Windows devices on the network with a lock screen that prevented access to the device.

New Meteor wiper used in Iran attacks

In a new report by SentinelOne, security researcher Juan Andres Guerrero-Saade  revealed that the cyberattack on Iran utilized a previously unseen file wiper called Meteor.

A wiper is malware that intentionally deletes files on a computer and causes it to become unbootable.

Unlike ransomware attacks, destructive wiper attacks are not used to generate revenue for the attackers. Instead, their goal is to cause chaos for an organization or to distract admins while another attack is taking place.

While Iranian cybersecurity firm Aman Pardaz previously analyzed the wiper, SentinelOne could find additional missing components to provide a clearer picture of the attack.

“Despite a lack of specific indicators of compromise, we were able to recover most of the attack components described in the post along with additional components they had missed,” explains Guerrero-Saade in SentinelOne’s research.

“Behind this outlandish tale of stopped trains and glib trolls, we found the fingerprints of an unfamiliar attacker.”

The attack itself is dubbed ‘MeteorExpress,’ and utilizes a toolkit of batch files and executables to wipe a system, lock the device’s Master Boot Record (MBR), and install a screen locker.

MeteorExpress attack chain
MeteorExpress attack chain
Source: SentinelOne

To start the attack, threat actors extracted a RAR archive protected with the ‘hackemall’ password. The attackers then added these files to a network share accessible to the rest of the computers on the Iranian railway’s network.

The threat actor then configured Windows group policies to launch a setup.bat batch file that would then copy various executables and batch files to the local device and execute them.

Setup.bat batch file
Setup.bat batch file
Source: SentinelOne

As part of this process, the batch files would go through the following steps:

  • Check if Kaspersky antivirus was installed and terminate the attack if found.
  • Disconnect the device from the network.
  • Add Windows Defender exclusions to prevent the malware from being detected.
  • Extract various malware executables and batch files to the system.
  • Clear Windows event logs.
  • Delete a scheduled task called ‘AnalyzeAll’ under the Windows Power Efficiency Diagnostics directory.
  • Use Sysinternals ‘Sync’ tool to flush the filesystem cache to the disk.
  • Launche the Meteor wiper (env.exe or msapp.exe), MBR locker (nti.exe), and screen locker (mssetup.exe) on the computer.

When completed, the device will be unbootable, its file deleted, and a screen locker installed that displays the following wallpaper background before the computer is rebooted for the first time.

MeteorExpress screen locker
MeteorExpress screen locker
Source: SentinelOne

While SentinelOne was unable to find the ‘nti.exe’ MBR locker, the researchers from Aman Pardaz claim that it shares overlap with the notorious NotPetya wiper.

“One interesting claim in the Padvish blog is that the manner in which nti.exe corrupts the MBR is by overwriting the same sectors as the infamous NotPetya,” explained Guerrero-Saade.

“While one’s first instinct might be to assume that the NotPetya operators were involved or that this is an attempt at a false flag operation, it’s important to remember that NotPetya’s MBR corrupting scheme was mostly cribbed from the original Petya used for criminal operations.”

Initially thought to be a ransomware attack, NotPetya was a wiper that wreaked havoc across the globe in 2017 by spreading to exposed networks via NSA’s ETERNALBLUE exploit and encrypting devices.

In 2020, the USA indicted six Russian GRU intelligence operatives believed to be part of the elite Russian hacking group known as “Sandworm” for the NotPetya attack.

At this time, the motive for the Meteor wiper attacks on Iran’s railway is not clear, and the attacks have not been attributed to any particular group or country.

“We cannot yet make out the shape of this adversary across the fog. Perhaps it’s an unscrupulous mercenary group. Or the latent effects of external training coming to bear on a region’s nascent operators,” concludes SentinelOne’s report.

“At this time, any form of attribution is pure speculation and threatens to oversimplify a raging conflict between multiple countries with vested interests, means, and motive.”

Also Read: What is Social Engineering and How Does it Work?

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us