Ethical Hacking News
Iranian hackers have breached a critical national infrastructure (CNI) in the Middle East for nearly two years, using vulnerabilities in virtual private network (VPN) security flaws and malware. The breach was attributed to an Iranian state-sponsored threat group known as Lemon Sandstorm, who used a sophisticated approach to maintain persistence and avoid detection. This breach highlights the need for robust cybersecurity measures to protect against such threats.
Iranian hackers breached a critical national infrastructure (CNI) in the Middle East for nearly two years using vulnerabilities in VPN security flaws and malware. The breach was attributed to Iranian state-sponsored threat groups, including Lemon Sandstorm and Parisite. The attackers used sophisticated tactics, including tradecraft overlaps with other known Iranian nation-state threat actors. They exploited known vulnerabilities in Microsoft 365 and Biotime software to obtain credentials and gain access to the network. Custom malware families were used to retrieve commands, harvest credentials, and deploy backdoors into the network. The breach highlights the importance of robust cybersecurity measures to protect against VPN security flaws and malware.
Iranian hackers have been able to maintain access to a critical national infrastructure (CNI) in the Middle East for nearly two years, despite using vulnerabilities in virtual private network (VPN) security flaws and malware. The breach, which began at least in May 2023 and continued until February 2025, was attributed to an Iranian state-sponsored threat group known as Lemon Sandstorm (formerly Rubidium), Parisite, Pioneer Kitten, and UNC757.
The attack, which entailed extensive espionage operations and network prepositioning, was characterized by its use of tradecraft overlaps with other known Iranian nation-state threat actors. The FortiGuard Incident Response (FGIR) team noted that the attack exhibited "a sophisticated approach to maintaining persistence and avoiding detection," using chained proxies and custom implants to bypass network segmentation and move laterally within the environment.
The breach, which was carried out by an individual or group of individuals with consistent work schedules, used a combination of hands-on keyboard operations and spear-phishing attacks to obtain Microsoft 365 credentials. The attackers also exploited known Biotime vulnerabilities (CVE-2023-38950, CVE-2023-38951, and CVE-2023-38952) and attempted to infiltrate the network again by exploiting these vulnerabilities.
A total of six custom malware families were used in the attack: HanifNet, HXLibrary, CredInterceptor, RemoteInjector, RecShell, and NeoExpressRAT. These malware tools were designed to retrieve and execute commands from a Command-and-Control (C2) server, harvest credentials, and deploy backdoors into the network.
The use of VPN security flaws in Fortinet, Pulse Secure, and Palo Alto Networks was identified as a key vulnerability exploited by the attackers. The attackers also used web shells, including RecShell and DropShell, to conduct initial reconnaissance and deploy additional malware tools.
Despite efforts to contain and remediate the breach, the attackers continued to use the same tactics, techniques, and procedures (TTPs) used in previous attacks. This persistence allowed them to maintain access to the network for an extended period.
The breach raises significant concerns about the security of CNI networks in the Middle East and highlights the need for robust cybersecurity measures to protect against such threats. The use of VPN security flaws and malware underscores the importance of regularly updating software and patching known vulnerabilities.
The attack also demonstrates the sophistication of Iranian nation-state threat actors, who have been linked to a range of high-profile attacks in recent years. The breach serves as a reminder that no network is completely secure, and that even the most robust cybersecurity measures can be compromised by determined attackers.
In conclusion, the Iranian hackers' 2-year breach of Middle Eastern CNI highlights the importance of maintaining vigilance and proactive cybersecurity measures to protect against such threats. By understanding the tactics, techniques, and procedures used by nation-state threat actors, organizations can better prepare themselves to defend against future attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/Iranian-Hackers-2-Year-Breach-of-Middle-Eastern-CNI-A-Cautionary-Tale-of-VPN-Flaws-and-Malware-ehn.shtml
Published: Sat May 3 06:41:50 2025 by llama3.2 3B Q4_K_M
