中东航空航天和国防部门遭伊朗UNC1549黑客攻击

An Iran-nexus threat actor known as UNC1549 has been attributed with medium confidence to a new set of attacks targeting aerospace, aviation, and defense industries in the Middle East, including Israel and the U.A.E.

一个被称为UNC1549的与伊朗有关的威胁行为者被中度确信地归因于针对中东航空航天和国防行业的新一轮攻击，包括以色列和阿联酋。

Other targets of the cyber espionage activity likely include Turkey, India, and Albania, Google-owned Mandiant said in a new analysis.

谷歌旗下的Mandiant在一项新的分析中表示，其他网络间谍活动的目标可能包括土耳其，印度和阿尔巴尼亚。

UNC1549 is said to overlap with Smoke Sandstorm (previously Bohrium) and Crimson Sandstorm (previously Curium), the latter of which is an Islamic Revolutionary Guard Corps (IRGC) affiliated group which is also known as Imperial Kitten, TA456, Tortoiseshell, and Yellow Liderc.

据称UNC1549与Smoke Sandstorm（以前是Bohrium）和Crimson Sandstorm（以前是Curium）重叠，后者是伊斯兰革命卫队（IRGC）附属组织，也被称为皇家小猫，TA456，Tortoiseshell和Yellow Liderc。

"This suspected UNC1549 activity has been active since at least June 2022 and is still ongoing as of February 2024," the company said. "While regional in nature and focused mostly in the Middle East, the targeting includes entities operating worldwide."

该公司表示：“自2022年6月以来，这种疑似的UNC1549活动一直活跃，截至2024年2月仍在进行中。”“尽管其性质是地区性的，主要集中在中东地区，但目标包括在全球范围内运营的实体。”

The attacks entail the use of Microsoft Azure cloud infrastructure for command-and-control (C2) and social engineering involving job-related lures to deliver two backdoors dubbed MINIBIKE and MINIBUS.

这些攻击利用微软Azure云基础设施进行命令和控制（C2），并涉及社会工程，包括利用与工作相关的诱饵传送名为MINIBIKE和MINIBUS的两个后门。

The spear-phishing emails are designed to disseminate links to fake websites containing Israel-Hamas related content or phony job offers, resulting in the deployment of a malicious payload. Also observed are bogus login pages mimicking major companies to harvest credentials.

这些钓鱼邮件旨在传播链接到包含以色列-哈马斯相关内容或虚假职位提供的网站，导致恶意载荷的部署。还观察到模仿主要公司的虚假登录页面来收集凭据。

The custom backdoors, upon establishing C2 access, act as a conduit for intelligence collection and for further access into the targeted network. Another tool deployed at this stage is a tunneling software called LIGHTRAIL that communicates using Azure cloud.

定制的后门一旦建立了C2访问，将充当情报收集的通道，并进一步访问目标网络。在此阶段部署的另一工具是名为LIGHTRAIL的隧道软件，使用Azure云进行通信。

While MINIBIKE is based in C++ and capable of file exfiltration and upload, and command execution, MINIBUS serves as a more "robust successor" with enhanced reconnaissance features.

虽然MINIBIKE基于C ++，能够进行文件外泄和上传，以及命令执行，但MINIBUS则作为一个具有增强的侦察能力的更“强大的后继者”。

"The intelligence collected on these entities is of relevance to strategic Iranian interests and may be leveraged for espionage as well as kinetic operations," Mandiant said.

Mandiant表示：“对这些实体收集的情报与伊朗的战略利益相关，并可能被利用于间谍活动以及动态行动。”

"The evasion methods deployed in this campaign, namely the tailored job-themed lures combined with the use of cloud infrastructure for C2, may make it challenging for network defenders to prevent, detect, and mitigate this activity."

Mandiant表示：“该活动中部署的规避方法，即定制的与工作主题相关的诱饵结合使用云基础设施进行C2，可能会使网络防御者难以阻止，检测和减轻这种活动。”

CrowdStrike, in its Global Threat Report for 2024, described how "faketivists associated with Iranian state-nexus adversaries and hacktivists branding themselves as 'pro-Palestinian' focused on targeting critical infrastructure, Israeli aerial projectile warning systems, and activity intended for information operation purposes in 2023."

CrowdStrike在其2024年的全球威胁报告中描述了与伊朗国家关系对手相关的假激进分子和自称为“亲巴勒斯坦”的黑客分子，重点关注2023年针对关键基础设施，以色列空中弹道预警系统和用于信息操作目的的活动。

This includes Banished Kitten, which unleashed the BiBi wiper malware, and Vengeful Kitten, an alias for Moses Staff that has claimed data-wiping activity against more than 20 companies' industrial control systems (ICS) in Israel.

这包括释放了BiBi擦拭器恶意软件的Banished Kitten，以及作为Moses Staff的别名的复仇小猫，后者声称针对以色列的20多家公司的工控系统进行数据擦除活动。

That said, Hamas-linked adversaries have been noticeably absent from conflict-related activity, something the cybersecurity firm has attributed to likely power and internet disruptions in the region.

尽管如此，与哈马斯有关的对手在与冲突相关的活动中明显缺席，这是网络安全公司归因于该地区可能的电力和互联网中断。

原文始发于微信公众号（知机安全）：中东航空航天和国防部门遭伊朗UNC1549黑客攻击