{"id":12058,"date":"2022-09-23T02:35:07","date_gmt":"2022-09-23T09:35:07","guid":{"rendered":"https:\/\/webdev.securin.xyz\/?p=12058"},"modified":"2023-04-05T12:26:19","modified_gmt":"2023-04-05T19:26:19","slug":"cyberwar-bulletin-iran-and-albania","status":"publish","type":"post","link":"https:\/\/10.42.32.162\/articles\/cyberwar-bulletin-iran-and-albania\/","title":{"rendered":"Cyberwar Bulletin: Iran and Albania"},"content":{"rendered":"

As the world still reels under the impact of the Ukraine-Russia cyberwar<\/a>, yet another Cyberwar has started between Iran and Albania.\u00a0\u00a0<\/strong><\/p>\n

Cybersecurity is today a serious threat. Critical infrastructure, government establishments, public sector companies, and policymakers are all repeatedly targeted by groups affiliated with nation-states. While a cyber war spawns disastrous consequences for the parties involved, the aftermath may lead to disrupting the business functions of those indirectly involved as well. In rare circumstances, unrelated organizations bear the brunt of mass, random rampages undertaken by organized cybercrime operators.<\/p>\n

Iran-Albania Cyberwar Impact<\/h2>\n

The consequences of the recent Iran-Albania cyberwar started off with critical government service outages like the embassy portal and national websites. It soon spiraled into a full-blown diplomatic incident, cutting ties between the nations and prompting the USA to impose sanctions on Iran. Following this incident, a joint advisory was issued by cybersecurity bigwigs FBI, CISA, NSA, and the US Cyber Command, warning against Iranian threat actors.<\/p>\n

 <\/p>\n

Here is what the Prime Minister of Albania had to say <\/a>about cutting off diplomatic ties with Iran:<\/p>\n

\n

\u00a0\u201cThis extreme response … is fully proportionate to the gravity and risk of the cyberattack that threatened to paralyze public services, erase digital systems and hack into state records, steal government intranet electronic communication and stir chaos and insecurity in the country.\u201d<\/strong><\/p>\n<\/blockquote>\n

In the wake of the Iran-Albania cyberwar and the scare of further retaliation, Securin experts provide insights into Iranian threats that organizations need to watch out for.\u00a0<\/strong><\/p>\n

Attack Timeline<\/h2>\n

Firstly, let us look into a timeline of events that triggered the cyber war. The start of this war appears to go way back to 2014, when Albania gave shelter to an Iranian dissident group. More recently, the dissidents were supposedly involved <\/a>in cyber attacks on the Iranian capital. The current war, however, escalated with Iran\u2019s attempts to thwart the networks of Albania.<\/p>\n

\"\"<\/p>\n

APT Groups that have played a role<\/h2>\n

Research<\/a> suggests that the successful series of attacks on Albania is the handiwork of a cluster of APT groups, all originating from Iran. The attackers gained entry into networks via CVE-2019-0604, a SharePoint Server vulnerability, through which they exploited a misconfigured service account, and then went on to deploy ransomware, followed by wiper malware. The attackers were persistent in the compromised networks for months together, starting from October 2021 till May 2022, before launching full-fledged attacks.<\/p>\n

CVE-2019-0604 is a critical severity vulnerability that exists in SharePoint servers and is capable of being remotely exploited to execute malicious code. The vulnerability is associated with the Iranian threat group DEV-0861, and the Chinese groups UNC215, and APT27 groups. The CVE is also associated with the Hello ransomware and has been part of our ransomware research<\/a> since Q1 2021. We also called out the vulnerability in our blog on FireEye\u2019s stolen pentesting tools<\/a> back in 2020.<\/p><\/blockquote>\n

Here are the APT groups deemed responsible:<\/p>\n