Iranian hackers compromised the UK leader Theresa May’s email account along with other 9,000 emails

Iranian hackers compromised 9,000 UK emails in ‘brute force’ cyber attack that was initially attributed to Russian state-sponsored hackers. On June 23, around 9,000 email accounts, including those belonging to Theresa May and other Cabinet Ministers, were hacked in the 12-hour “sustained and determined” attack cyber attack. “According to intelligence officials, the cyberattack “bombarded parliamentary email […]

The post Iranian hackers compromised the UK leader Theresa May’s email account along with other 9,000 emails appeared first on Security Affairs.

Iranian hackers compromised 9,000 UK emails in ‘brute force’ cyber attack that was initially attributed to Russian state-sponsored hackers.

On June 23, around 9,000 email accounts, including those belonging to Theresa May and other Cabinet Ministers, were hacked in the 12-hour “sustained and determined” attack cyber attack.

“According to intelligence officials, the cyberattack “bombarded parliamentary email accounts” but only compromised about 1 percent of the accounts it affected. The attack was initially thought to be the result of amateur hackers and not a nation-state.” reported the Hill.

According to The Times, the attack was initially attributed to Russia, but further investigation linked the offensive to Iranian hackers.

“Iran carried out a “brute force” cyberattack on parliament that hit dozens of MPs this summer, according to a secret intelligence assessment.” reported The Times

“Some 9,000 email accounts, including those belonging to Theresa May and other cabinet ministers, were subjected to a sustained attack on June 23. Ninety accounts were compromised.”

“Whitehall officials admitted it was inevitable that the hackers had obtained sensitive material,” the Times reported.

The investigation is still ongoing, for this reason, both The House of Commons and the National Cyber Security Centre did not comment the attack.

Iranian hackers hit UK parliament

The attack was discovered during a secret intelligence assessment, sources described the Iranian threat actors as “highly capable actors in the cyber world”.
“It was the not most sophisticated attack, but nor did it need to be.” a second source added. “It is possible they were simply testing their capability.”

The revelations come as Donald Trump has threatened to terminate the 2015 Iran nuclear deal if Congress and US allies fail to amend the agreement in significant ways.

The UK Prime Minister along with Angela Merkel and Emmanuel Macron insist preserving the pact due to the implications on “shared national security interest.”

A statement from the UK, France, and Germany said the International Atomic Energy Agency has “repeatedly confirmed” Iran’s compliance with the terms it signed up to.

Back to the cyber attack that hit 9,000 email accounts, there are various hypotheses about the attackers’ motivation.

The attack could be part of a wider cyber espionage campaign, but another concerning option is that Iran was trying to find embarrassing material to blackmail MPs.

Iranian hackers are becoming even more aggressive even if experts believe that they are not particularly sophisticated.

Recently we discussed the OilRig gang has been using a new Trojan in attacks aimed at targets in the Middle East.

OilRig is just one of the Iran-linked hacker crews, other groups tracked by security experts are APT33Rocket Kitten, Cobalt Gypsy (Magic Hound), Charming Kitten (aka Newscaster and NewsBeef) and CopyKittens.

Pierluigi Paganini

(Security Affairs – Iranian hackers, cyber espionage)

The post Iranian hackers compromised the UK leader Theresa May’s email account along with other 9,000 emails appeared first on Security Affairs.

Source

Advertisements

Hacker interview – Speaking with ICEMAN: Banks holes like in Cheese

The web journalist Marc Miller has interviewed one of the hackers of the ICEMAN group that claims to be behind the Operation ‘Emmental’ that targeted bank clients. Operation “Emmental” is the nickname for a grand-scale phishing campaign targeting bank clients. The goal of the campaign is to receive fraudulent payments by taking actions (e.g. money […]

The post Hacker interview – Speaking with ICEMAN: Banks holes like in Cheese appeared first on Security Affairs.

The web journalist Marc Miller has interviewed one of the hackers of the ICEMAN group that claims to be behind the Operation ‘Emmental’ that targeted bank clients.

Operation “Emmental” is the nickname for a grand-scale phishing campaign targeting bank clients. The goal of the campaign is to receive fraudulent payments by taking actions (e.g. money transfers) on behalf of the legitimate end user.
By phishing the victims with a mobile application which mimics the bank’s genuine application, the hackers steal the two-factor-authentication tokens used during the login (both user/passwords and SMS verification code) and then issuing money transfers by SMS Services offered by the bank, together with sending these sensitive credentials to the hackers infrastructure.
ICEMAN group
The ICEMAN group, which first came to knowing after contacting me to claim responsibility for the Banrisul Bank attack in Brazil, now claim they have committed many of the reported “Emmental” attacks as well. The hacker’s intentions and motives are shown at first in this exclusive interview.

What was your goal of the attack?
We need more bank accounts to sell. The beauty of what we do with “Emmental”, like you call it is that we can now aim at high-end customers. That’s much bigger than the people we usually scam. Also, this whole attack was a huge challenge, we wanted to see if we could overcome something tough (security wise) and on the way make some real money. I’m the one who wrote the core of the app, perhaps.
Was it all your idea? 
Not really, some other guys on the web shared their tricks with us. They only did it for a dozen clients or so. We took it to the next step and did it on a grand scale targeting banks worldwide.

How many of these operations are you doing at the same time?
U mean different banks? Several. We mass email and mass SMS which basically sending our stuff to everyone. If it lands on a client of a bank we know and target – we’re taking him in. U have no idea how many targets we manage to obtain control on.
Where do you get information about potential targets?
Easily, we have fake identities which are established as legitimate companies, which through them we buy data from marketing companies. Using these “companies” we can do all sort of other things.
Such as? 
For example, let’s just say that companies signing mechanisms are not a wall for us as they are for other hackers.
I see, but once you get to their phone, do you need to operate each target? 
Nah, only when the verification comes in. After testing on individuals, we worked hard on automation and now we’ve got the whole thing automated on multiple servers on different cloud services. Once we were done with our infrastructure we didn’t need to do anything anymore but cashing it in and keeping the whole thing maintained.

How many attacks did you already do?
Depends on what u call an “attack”, we successfully stole from hundreds of individuals worldwide. We’re not the only ones doing it. We got some mates doing other attacks that were already reported, but I’m not really gonna say anything about them. All I say is… just wait you will see.
How could you fake an app without the bank’s attention? 
They do notice it, they let the security companies know, and then the security mobile apps blocks and removes us. At the same time, they try using law enforcement take down our C2 infrastructure and block communications to it. But that’s the game, it’s a cat and mouse game in which we currently win.

Where did you get your C2 servers? Are they yours?
For the special operations, we use unique methods we developed in-house, but for most activity we use a chain of hacked servers and rented cloud services.
How do you pay for cloud services? 
More and more companies accept BTC, in the past, it was harder.
For some ops we use our “companies” we established.
What about the language barrier? You seemed to impersonate banks worldwide.
Yeah, that was the only problem, we don’t really speak most of the languages there, so we had to improvise
What artifacts from the attack can you reveal me?
I’ll send u some screen-shots later on if my guys will approve it
Do your teammates have different roles? Or is everyone doing everything? 
I’m responsible for the phishing and the app (expert at Java). We have another member who’s a killer at the server side aspect, and another guy supplies us with infrastructure. Our top guy is a cellular genius. He knows everything related to SMS protocols, 2G or 3G communications and such, he worked on a communication company in his past, so he helps us break through the phones and get what we want. Other guys are mostly working on “speared marketing”, general programming, UI and such. We’re like a small international startup company.
Are you all sitting together? 
Nobody sits together these days. We’ve got a nice group chat with our own XMPP servers. To tell u the truth, I don’t even know where half the other guys are from. But as long as we can PGP or discuss through forums or pidgin, we’re good.

What kind of emails do you send to your victims?
Like I said, most mails we send are automated but using advanced marketing solutions like the legitimate marketing companies use. Very few are truly tailored made. For example, we might check on a target using data we acquired as mentioned earlier and see what he’s into – business or sports or whatever – and then we’ll send him something that looks officially and related to that matter. He’s going to press it since he likes it, and then we unleash our RAT on him.

Is this operation similar to Banrisul?
We don’t talk about Banrisul anymore

What are your expectations for the future and where do you want to go?
I saw numerous reports about our actions, generally the main players we should be afraid of are the Russians or the Feds, but clearly, nobody has a f**king clue on how to take us down… My intention is to go on with this until it dies out or until it will be too hard \ time consuming to maintain. It’s not like that’s our only operation…
Besides the questions above, many other questions asked were not given answers, or simply ignored. We will update on any news from our contact at the ICEMAN group.
About the Author: Marc Miller
Marc Miller is a web journalist, focused on cybercrime.

He started a blog called: THE PURPLE HAT – Cyber Gangs NAKED, dedicated to exposing the methods and works of cybercrime gangs such as “CARBANAK” or similar sophisticated syndicated Cybercrime organizations.

In the past. he worked as a web front-end programmer. Also, he is passionate about hardware, hacking, security and marketing.

Pierluigi Paganini

(Security Affairs – ICEMAN group, op Emmental)

The post Hacker interview – Speaking with ICEMAN: Banks holes like in Cheese appeared first on Security Affairs.

Source