"Iranian Hackers Hid in Albanian Networks for Over a Year"

The US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI recently released a joint alert to shed more light on a campaign that resulted in Albania severing diplomatic ties with Iran.  According to CISA, state-backed Iranian threat actors were able to remain undetected inside an Albanian government network for 14 months before deploying destructive malware in July 2022.  CISA identified the attack group as the state-sponsored “HomeLand Justice.” The group gained initial access by exploiting CVE-2019-0604, a remote code execution bug in SharePoint.  The vulnerability, which has a CVSS score of 8.6, was flagged by the UK’s National Cyber Security Centre (NCSC) in October 2020.  CISA noted that a few days after gaining network access, the threat actors proceeded to a persistence and lateral movement phase, using several .aspx webshells for persistence and RDP, SMB and FTP for lateral movement.  CISA noted that between one and six months after initial access, they compromised a Microsoft Exchange account and began probing for an admin account.  The US authorities claimed HomeLand Justice managed to exfiltrate significant volumes of email data.  The group also managed to compromise two victim VPN accounts.  Finally, 14 months after the start of the operation, they deployed a ransomware-style file encryptor and disk-wiping malware.  CISA noted that the campaign itself seems to have been a response to Albania’s sheltering of Iranian opposition group Mujahideen-e-Khalq (MEK). 

Infosecurity reports: "Iranian Hackers Hid in Albanian Networks for Over a Year"