Windows 10 News and info | Forum
June 04, 2020, Loading... *
Welcome, Guest. Please login or register.

Login with username, password and session length
News: This is a clean Ad-free Forum and protected by StopForumSpam, Project Honeypot, Botscout and AbuseIPDB | This forum does not use audio ads, popups, or other annoyances. New member registration currently disabled.
  Website   Home   Windows 8 Website GDPR Help Login Register  
By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy.
Pages: [1]
Share this topic on Del.icio.usShare this topic on DiggShare this topic on FacebookShare this topic on GoogleShare this topic on MySpaceShare this topic on RedditShare this topic on StumbleUponShare this topic on TechnoratiShare this topic on TwitterShare this topic on YahooShare this topic on Google buzz
Author Topic: Iranian Hackers Hit Over 60 Universities to Get Library Access  (Read 94 times)
Hero Member
Online Online

Gender: Male
United States United States

Posts: 31455

I Do Windows

WWW Email
« on: September 12, 2019, 11:17:51 AM »

Cobalt Dickens, a threat actor associated with the Iranian government, ran a phishing operation in July and August that targeted more than 60 universities in countries on four continents.

Security researchers say that the group's hacking activity affected at least 380 universities in more than 30 countries, many of the targets being hit multiple times.

Free domains and TLS certs

The latest phishing campaign was directed at organizations in Australia, Hong Kong, the U.S., Canada, the U.K., and Switzerland. It used at least 20 new domain names registered using the Freenom service that offers free top-level domain names (.ml, .ga, .cf, .gq, .tk).

A fraudulent email Cobalt Dickens sent to people with access to the library of the targeted university, shows a message that prompted to reactivate the account by following a spoofed link.

Using a spoofed link is a change in the modus operandi as previous campaigns from the group relied on shortened URLs to direct to the fake login page.

Following the fake link leads "to a web page that looks identical or similar to the spoofed library resource," say researchers from Secureworks' Counter Threat Unit (CTU).

Once the credentials are provided, they are stored in a file named 'pass.txt' and the browser loads the genuine university website.

To cancel suspicions of fraudulent activity, the threat actor often uses valid TLS certificates for its websites. Most of the certificates observed in this campaign are free, issued by the Let's Encrypt non-profit certificate authority.

Unconcerned by public exposure

Also known as Silent Librarian, the group focuses on compromising educational institutions, although its victims count private sector companies, too. Its purpose seems to be stealing library account credentials and selling academic resources as well as access to them to customers in Iran.

Nine individuals believed to have roles in the group's activity were indicted by the US Department of Justice in March 2018 for cyber intrusion activities. It is believed that they were partners or hacker-for-hire for a company called Mabna Institute that carried hacking operations since at least 2013.

Many of the intrusions were allegedly committed for the Islamic Revolutionary Guard Corps (IRGC), an entity in the government charged with collecting intelligence.

Their targets were "computer systems belonging to 144 U.S. universities, 176 universities across 21 foreign countries, 47 domestic and foreign private sector companies."

The list of targets also includes the U.S. Department of Labor, the Federal Energy Regulatory Commission, the State of Hawaii, the State of Indiana, the United Nations, and the United Nations Children’s Fund.

It is alleged that the hackers stole more than 31 terabytes of documents and data from victims across the globe. However, despite the indictment in the U.S. and public exposure, Cobalt Dickens seems to be undeterred in its operations.

In an effort to put the brakes on the threat actor's operations, Secureworks published all known domains associated with Cobalt Dickens.


Pages: [1]
Jump to:  

Powered by SMF 1.1.21 | SMF © 2017, Simple Machines

Google visited last this page April 01, 2020, 10:05:22 PM