Share this page!

J. A. Guerrero-Saade Profile picture
Twitter logo
26 Oct, 16 tweets, 6 min read
Ok friends, you know it's a wonderful day when you get woken up by @Bing_Chris on madness in Iran. If you haven't seen what's going on, another trollish attack played out today with gas stations in Iran not being able to dispense gas #64411
Screens on the gas pump PoS systems say 'cyberattack, 64411' in Farsi. For avid readers, this should be a throwback to the Iranian railway systems attack in July where the attackers also directed calls to 64411, the Office of Iran's Supreme Leader, Ali Khamenei' #MeteorExpress
We were able to reconstruct the attack chain used in the Iranian railway system, a combination of well-written crafty batch scripts + an externally configurable wiper called 'Meteor'. That led us to calling this group MeteorExpress.
s1.ai/meteor
Pivoting off of our findings, folks at Checkpoint found a couple of earlier variants of Meteor codenamed Stardust and Comet. These 2019 samples were used for attacks in Syrian organizations with an Iranian (IRGC) nexus – Alfadelex, Cham Wings Airlines, Afrada, and Katerji.
What's interesting about the Stardust and Comet variants, as @megabeets_ pointed out, is that they contain a reference to 'Indra'. This was the name of a 'hacktivist' group that claimed responsibility for the Syrian attacks on twitter and facebook. It went dark in Oct 2020.
We researchers clearly injected ourselves into an awkward part of MeteorExpress' attacks. The Syrian attacks (Stardust/Comet) were under a given hacktivist persona. Then that persona is shutdown, Indra references are cleaned from the code, and a new campaign begins.
The new campaign under the 'Meteor' variant isn't immediately claimed but it coincides with spastic appearance of multiple new 'hacktivist' groups ((A|E)dalat Ali and Gonjeshk(|e) Darande, accounting for multiple spellings) and multiple high profile hacks.
The most notorious among them is that of Evin prison, a truly horrible place. The attackers (under the Adalat Ali persona) leaked footage of abuse of prisoners as well as the reaction of the camera operators as their malware disables the system.
We don't yet have samples specifically related to Evin prison. The best we can say is that the functionality shown in the videos matches that of the Meteor wiper (which includes screen locker with a custom image, MBR corruptor, and configurable file wiper).
These attacks are a lightning rod of infosec hottake fodder (ICS attacks + wipers). Thankfully @HostileSpectrum took on the analysis with the appropriate nuance to keep us at bay. Restraint is something the operative metric we should pay attention to here.
offensivecyber.org/2021/09/23/bal…
This latest attack not only includes the gas pumps but also electronic billboards with questions like– 'Khamenei! Where is our gas?' and 'Free gas in Jamaran gas station' as reported by AP @jongambrellAP
abcnews.go.com/International/…
Some immediately jumped to the conclusion that this is Israel paying Iran back for recent spats. I wouldn't jump to that conclusion. The idea that this is legitimate hacktivism is hard to swallow–mostly due to the targeting and style of operations + quality of batch scripts.
While I also don't think that the U.S. is involved in this, reporting has glossed over the fact that the wipers are rife with debug strings that are all written in *perfect English*. If you're familiar with threat research, you should recognize that as a noteworthy anomaly.
Given now more widespread revelations of the diversity of threat actors in the region and their propensity for acquiring foreign tooling (the UAE/DarkMatter situ being an obvious example), we'd be remiss to jump to attributory conclusions (Saudis? Jordanians?Emiratis?... etc)
Finally, it's important to add another layer of concern with how the 'hacktivist' fronts are now actively courting journalists, with the latest Gonjeshke Darand account tagging prominent journos in cyber. (Note that this is their second twitter account and possibly a copycat.)
Now that we are all on the same page, this is where the fun starts. Time to do some hunting. Will update with any findings. #HappyHunting #VTday

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with J. A. Guerrero-Saade

J. A. Guerrero-Saade Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @juanandres_gs

J. A. Guerrero-Saade Profile picture
15 Oct
Tbh, when I tweeted out the story about VPNs getting consolidated under a shady company with a reputation for malware/adware distribution, I didn't expect that it would get that big of a response. Since folks are interested, I wanted to discuss my biggest issue w this... #Thread
Sure, shady monetization schemes w ads are the bulk of the business model but it doesn't take into account the targeted espionage concern. Ad networks are fantastically positioned to profile internet users to an impressive level of granularity but they're limited–
For a determined adversary with control or influence over an ad network, you might have access to selectively injecting iframes or malicious ads in the hopes of hitting that one precious target. But a VPN introduces a much smoother avenue of attack.
Read 12 tweets
J. A. Guerrero-Saade Profile picture
2 Oct
It's awesome to see analysis of Lamberts and Equation Group tools. They're some of the most noteworthy findings in the short history of Cyber Threat Intelligence and we're doing a disservice by collectively ignoring their existence. Great work @runasand and @patrickwardle!
If you missed it, I'm sure the video will be up in the near future. In the meantime, here's Runa's blog on Green Lambert OS X
objective-see.com/blog/blog_0x68…
For additional (non-MacOS) background, here's an overview of the color-coded constellation of the Lambert's toolkit up to a point–
securelist.com/unraveling-the…
Read 7 tweets
J. A. Guerrero-Saade Profile picture
24 Aug
There are three things you don't want to see made– laws, sausages, and threat intelligence.

Frankly, I'm bummed out at the framing of this issue. It adds fuel to the air-quote 'privacy' debate that keeps eating away at our ability to do security research, as in the case of GDPR.
I've played with Augury before. Netflow can be useful. But for the most part it's spotty, incomplete, and inconclusive. You don't turn into a SIGINT agency because you have visibility into a few hops along a path for a sliver of time. Internet routing doesn't work that way.
You're seeing points connecting to other points at a given time. If the connection is routed a different way, if it takes a hop you don't have access to, if any number of factors changes the connective tissue of the internet, you don't see anything.
Read 7 tweets
J. A. Guerrero-Saade Profile picture
23 Aug
When researching MeteorExpress, I couldn't have guessed the direction the discussion would take. Let's take a minute to evaluate these different claims– Indra, non-state-sponsored, MBC, SEA... (thread)
(1)Let's dispense with the patently brittle claims– just because a ransomware group claims they perpetrated an attack doesn't make a credibly claim... looking at you DarkTracer.
(2)Subsequent claims that it's related to SEA are using a reference so outdated as to be meaningless. Additionally, SEA was a pro-regime group so nothing about this adds up other than a vague Syria connection.
Read 9 tweets
J. A. Guerrero-Saade Profile picture
22 Jul
Alright, let's add some substance to this Pegasus discussion. Contrary to what you might read, research into NSO has been going on for years and has involved a lot of great research groups (@citizenlab, @kaspersky, @Lookout, to name a few). It has also included leaks.
Folks are speculating about how we might know about the targets of Pegasus customers. NSO simultaneously claims that they don't know their customers targets but at the same time they know that none of the @AmnestyTech infections are real. Two obviously incompatible statements.
Assuming NSO doesn't have access to their customers targets, a list of targets of interest would have to come from a structural fault in the agent/exploit delivery infrastructure that NSO uses. We have a high-level view of how that system is architected.
Read 17 tweets
J. A. Guerrero-Saade Profile picture
22 Jul
The new cybertruthers have come out the play.
Please beware the false parity of 'experts'. Random technical ppl aren't sources on difficult threat intel topics. Open speculation isn't substantiation for denials ('More details plz'). And neither is technical solipsism ('Everything can be faked! I'd do better than this!').
This uncoordinated flailing is being used to substantiate state interests that would rather not have the spotlight shined on them. We'll all do well to display sound judgement.
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @juanandres_gs has new unrolls!

Check out other threads from @juanandres_gs!

Read all threads by @juanandres_gs

:(