API tools faq
paste
Advertisement
cephurs

opcleaver via thegrugq

cephurs
Jun 19th, 2015
888
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.10 KB | None | 0 0
raw download clone embed print report
  1. # Iran's Operation CLEAVER in Action
  2.  
  3. This is the attack plan used by the Iranian cyber team that hit Saudi's networks. The link is via @daveaitel, https://wikileaks.org/saudi-cables/doc129906.html
  4.  
  5. The interesting thing is that they get the target to install a tool to infect him with malware. You don't need 0day if your target downloads and runs an app from a link you supply. Clever to use a MICE approach too, "Get more money and a better job here! Just download and run this tool!"
  6.  
  7. -- @thegrugq
  8.  
  9.  Source and chronology of incident:
  10. o Social engineering activities took place to gather data about the targeted system
  11. admin(suspected to be through available info on his LinkedIn profile) [ 4.4 LinkedIn
  12. Profile]
  13. o A targeted email was sent to MOFA's system admin on 14th July 2014 offering a job
  14. opportunity that meets his qualifications. [4.5 Job Offer – 14th July, 2014 ]
  15. o The email had a link to download a résumé creation suite (EasyResumeCreatorPro) that
  16. submit résumés to the fake employer Teledyne. [4.6 Submitting CV – 21st July 2014]
  17. o The targeted user was duped into submitting personal information that was captured by
  18. the malware [4.7Capture Credentials – 21st July 2014] .
  19. o While the user enters this information, his machine was infected with TinyZBot malware.
  20. o The domain teledyne-jobs.com was registered by davejsmith200@outlook.com on 20th
  21. July, 2014 (the day the email was sent to MOFA's admin). The last update on the website
  22. was on 2nd December, 2014 (The same day the Operation Cleaver report was released by
  23. Cylance).
  24. o Forensics evidences showed that the targeted user updated his resume on 22nd July 2014
  25. indicating the interest to submit it to the fake employer. [4.8 Updating CV – 22nd July
  26. 2014]
  27. o Access to MOFA's network is suspected to be carried out using anonymous FTP and SOAP
  28. (checkupdate.asmx) to suspicious servers. [ 4.9 FTP Connection - 25th July 2014]
  29. o Remote Access to MOFA's environment through VPN portal using the compromised user
  30. account was detected since 25th July 2014 [ 4.10 Remote Connection [VPN] - 25th July
  31. 2014]
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!