Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

Iranian Hackers Abusing Known Bug In Microsoft’s MSHTML

An Iranian threat actor is stealing Instagram and Google credentials of Farsi-speaking individuals around the world. The threat group is using a new PowerShell-based stealer, PowerShortShell, for this campaign.

What has happened?

PowerShortShell was used for Telegram surveillance and gathering system details from infected devices. The information is sent back to attacker-controlled servers.

  • The attacks started in July via spear-phishing emails that targeted Windows users with Winword attachments. They exploited a remote code execution flaw (CVE-2021-40444) in MSHTML that was disclosed months ago.
  • This flaw was exploited to gain initial access and deliver Cobalt Strike Beacon loaders.
  • The stealer payload is executed by a DLL downloaded on the infected systems. Once executed, the PowerShell script collects data and then sends it to the C2 server of attackers.

A connection to Iran

  • Based on the content of a malicious document, which blames Iran’s leader for the Corona massacre, and the nature of collected data, researchers arrived at an assumption that victims might be Iranians living abroad and are a threat to Iran’s regime.
  • Additionally, the attacker might be linked to Iran since Telegram surveillance is often performed by Iranian-based attackers such as Rampant Kitten, Infy, and Ferocious Kitten.

Who are they targeting?

Almost half of the victims are based in the U.S. (45.8%), followed by the Netherlands (12.5%), Russia (8.3%), Canada (8.3%), Germany (8.3%), India (4.2%), the U.K (4.2%), Korea (4.2%), and China (4.2%).

Conclusion

Cybercriminals are now actively using the exploiting CVE-2021-40444 vulnerability, which has impacted people across several continents. Therefore, exports recommend organizations implement a robust patch program and deploy reliable anti-malware solutions.

Source: https://cyware.com/news/iranian-hackers-abusing-known-bug-in-microsofts-mshtml-b3c4dbcc

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

It was a big year for cybersecurity in 2022 with massive cyberattacks and data breaches, innovative phishing attacks, privacy concerns, and of course, zero-day...

Cyber Security

A free unofficial patch has been released for an actively exploited zero-day that allows files signed with malformed signatures to bypass Mark-of-the-Web security warnings...

Cyber Security

Microsoft is developing a patch for two actively exploited zero-day vulnerabilities in Microsoft Exchange Server. The flaws, tracked as CVE-2022-41040 and CVE-2022-41082, were discovered in Microsoft’s enterprise...

Cyber Security

Vulnerable Microsoft SQL servers are being targeted in a new wave of attacks with FARGO ransomware, security researchers are warning. MS-SQL servers are database management systems holding...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO