Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # Iran's Operation CLEAVER in Action
- This is the attack plan used by the Iranian cyber team that hit Saudi's networks. The link is via @daveaitel, https://wikileaks.org/saudi-cables/doc129906.html
- The interesting thing is that they get the target to install a tool to infect him with malware. You don't need 0day if your target downloads and runs an app from a link you supply. Clever to use a MICE approach too, "Get more money and a better job here! Just download and run this tool!"
- -- @thegrugq
- Source and chronology of incident:
- o Social engineering activities took place to gather data about the targeted system
- admin(suspected to be through available info on his LinkedIn profile) [ 4.4 LinkedIn
- Profile]
- o A targeted email was sent to MOFA's system admin on 14th July 2014 offering a job
- opportunity that meets his qualifications. [4.5 Job Offer – 14th July, 2014 ]
- o The email had a link to download a résumé creation suite (EasyResumeCreatorPro) that
- submit résumés to the fake employer Teledyne. [4.6 Submitting CV – 21st July 2014]
- o The targeted user was duped into submitting personal information that was captured by
- the malware [4.7Capture Credentials – 21st July 2014] .
- o While the user enters this information, his machine was infected with TinyZBot malware.
- o The domain teledyne-jobs.com was registered by davejsmith200@outlook.com on 20th
- July, 2014 (the day the email was sent to MOFA's admin). The last update on the website
- was on 2nd December, 2014 (The same day the Operation Cleaver report was released by
- Cylance).
- o Forensics evidences showed that the targeted user updated his resume on 22nd July 2014
- indicating the interest to submit it to the fake employer. [4.8 Updating CV – 22nd July
- 2014]
- o Access to MOFA's network is suspected to be carried out using anonymous FTP and SOAP
- (checkupdate.asmx) to suspicious servers. [ 4.9 FTP Connection - 25th July 2014]
- o Remote Access to MOFA's environment through VPN portal using the compromised user
- account was detected since 25th July 2014 [ 4.10 Remote Connection [VPN] - 25th July
- 2014]
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement