Iran is using malware variants in two separate state-sponsored cyber espionage operations around the globe, the XDR (extended detection and response) cybersecurity research company Cybereason announced Tuesday.

Follow Israel Hayom on Facebook, Twitter, and Instagram

According to Cybereason, the Iranian malware cyber espionage is targeting a wide range of organizations in different parts of the world. Researchers identified a previously undocumented remote access trojan (RAT) named "StrifeWater" that the company attributes to Iranian threat actor Moses Staff. This APT (advanced persistent threat) has been noted targeting organizations in the US, Israel, India, Germany, Italy, United Arab Emirates, Chile and Turkey.

After infiltrating an organization and exfiltrating sensitive data, the attackers deploy destructive ransomware to cause operational disruptions and make forensic investigation more difficult.

Cybereason also discovered a new set of tools developed by the Phosphorus group (also known as Charming Kitten, APT35) that includes a novel PowerShell-based backdoor dubbed "PowerLess," as well as an IP address used in the attacks that was previously identified as part of the command and control (C2) for the recently documented Memento ransomware.

Phosphorus is known for attacking medical and academic research organizations, human rights activists, the media, and exploiting known Microsoft Exchange Server vulnerabilities and for attempting to interfere with US elections.

The company observed similar abuse of open-source tools in both Iranian cyberattack operations.

Cybereason co-founder and CEO Lior Div explained that the recently discovered Iranian cyber espionage campaigns "highlight the blurred line between nation-state and cybercrime threat actors, where ransomware gangs are more often employing APT-like tactics to infiltrate as much of a targeted network as possible without being detected, and APTs leveraging cybercrime tools like ransomware to distract, destroy and ultimately cover their tracks."

According to Div, "there is no longer a significant distinction between nation-state adversaries and sophisticated cybercriminal operations. That's why it is crucial for us as [cyber] defenders to collectively improve our detection and prevention capabilities if we are going to keep pace with these evolving threats."

Subscribe to Israel Hayom's daily newsletter and never miss our top stories!

The post Iranian cyber espionage exposed by US-Israeli security experts at Cybereason appeared first on www.israelhayom.com.

A senior official in Hungary's governing party acknowledged for the first time on Thursday that the government purchased a powerful Israeli-made spyware tool, which was allegedly used to target journalists, businesspeople and an opposition politician.

Follow Israel Hayom on Facebook and Twitter

Lajos Kosa, chairman of parliament's Committee on Defense and Law Enforcement, confirmed to journalists following a closed committee session that Hungary's Interior Ministry had bought the military-grade spyware Pegasus, produced by Israel-based NSO Group.

It was the first time a Hungarian official openly acknowledged the government's use of the malware, which infiltrates phones to collect personal and location data and can surreptitiously control the phone's microphones and cameras.

An investigation by a global media consortium published in July said that Pegasus was used in Hungary to infiltrate the digital devices of a range of targets – including at least 10 lawyers, one opposition politician and several government-critical journalists.

Subsequent investigations by Hungarian investigative journalism outlet Direkt36 have suggested that at least two publishers of government-critical media, as well as a former state secretary, were also targeted with the software.

Kosa, a vice-president of Hungary's governing Fidesz party, insisted that Hungary's security services and Interior Ministry had acted legally in every case of surveillance, receiving permission either from courts or the Ministry of Justice.

But opposition lawmakers have demanded an inquiry into the government's use of Pegasus, and complained that the findings of two special committee sessions examining the case – including Thursday's meeting of the Committee on Defense and Law Enforcement – had been classified by the governing party until 2050.

The alleged use of the malware against critical journalists in Hungary comes amid enduring condemnation of right-wing Prime Minister Viktor Orban from the European Union, of which Hungary is a member.

Orban's critics say he has systematically wrested Hungary's media into government control, and brought the country under increasingly autocratic rule.

In October, a spokeswoman for an EU fact-finding delegation to Hungary told journalists that the government's refusal to confirm or deny whether it was responsible for the spying was "of great concern for the European Parliament," but that there was "a clear sign that it was done by the government itself."

On Wednesday, the Biden administration announced it would place new export limits on Israel's NSO Group, the maker of Pegasus, saying its tools have been used to "conduct trans-national repression."

But Kosa told journalists on Thursday that he saw no reason to object to the government's use of Pegasus. According to Hungarian state news agency MTI, he argued that "tech giants conduct much wider surveillance" on their users than the Hungarian government had.

Subscribe to Israel Hayom's daily newsletter and never miss our top stories!

The post Hungarian official: Gov't used Israeli-made spyware tool appeared first on www.israelhayom.com.

An Israeli company's spyware was used in attempted and successful hacks of 37 smartphones belonging to journalists, government officials and human rights activists around the world, according to an investigation by 17 media organizations published on Sunday.

Follow Israel Hayom on Facebook and Twitter

One of the organizations, the Washington Post, said the Pegasus spyware licensed by Israel-based NSO Group also was used to target phones belonging to two women close to Jamal Khashoggi, a Washington Post columnist murdered at a Saudi consulate in Turkey in 2018, before and after his death.

The Guardian, another of the media outlets, said the investigation suggested "widespread and continuing abuse" of NSO's hacking software, described as malware that infects smartphones to enable the extraction of messages, photos and emails; record calls; and secretly activate microphones.

The investigation, which Reuters did not independently confirm, did not reveal who attempted the hacks or why.

NSO said its product is intended only for use by government intelligence and law enforcement agencies to fight terrorism and crime, including pedophile rings and sex- and drug-trafficking rings. It claims its software has helped save thousands of lives.

The program is designed to bypass detection and mask its activity. NSO Group's methods to infect its targets have grown so sophisticated that researchers say it can now do so without any user interaction, the so-called "zero-click" option.

The company issued a statement on its website denying the reporting by the 17 media partners led by the Paris-based journalism non-profit Forbidden Stories.

"The report by Forbidden Stories is full of wrong assumptions and uncorroborated theories that raise serious doubts about the reliability and interests of the sources. It seems like the 'unidentified sources' have supplied information that has no factual basis and are far from reality," the company said in the statement.

"After checking their claims, we firmly deny the false allegations made in their report," the statement said.

NSO said its technology was not associated in any way with Khashoggi's murder.

The company also reiterated its claims that it only sells to "vetted government agencies" for use against terrorists and major criminals and that it has no visibility into its customers' data. Critics call those claims dishonest and have provided evidence that NSO directly manages the high-tech spying. They say the repeated abuse of Pegasus spyware highlights the nearly complete lack of regulation of the private global surveillance industry.

In a statement, rights group Amnesty International decried what it termed "the wholesale lack of regulation" of surveillance software.

"Until this company (NSO) and the industry as a whole can show it is capable of respecting human rights, there must be an immediate moratorium on the export, sale, transfer and use of surveillance technology," the rights group said in a statement.

The targeted phone numbers were on a list provided by Forbidden Stories and Amnesty International to the 17 media organizations. It was not clear how the groups obtained the list.

The numbers on the list were not attributed, but reporters identified more than 1,000 people spanning more than 50 countries, the Washington Post said. They included several Arab royal family members, at least 65 business executives, 85 human rights activists, 189 journalists and more than 600 politicians and government officials – including several heads of state and prime ministers.

The Guardian said the numbers of more than 180 journalists were listed in the data, including reporters, editors and executives at the Financial Times, CNN, New York Times, the Economist, Associated Press, Reuters, the Wall Street Journal, and Le Monde.

NSO Group's spyware has been implicated in targeted surveillance chiefly in the Middle East and Mexico. Saudi Arabia is reported to be among NSO clients. Also on the lists were phones in countries including France, Hungary, India, Azerbaijan, Kazakhstan and Pakistan.

"We are deeply troubled to learn that two AP journalists, along with journalists from many news organizations, are among those who may have been targeted by Pegasus spyware," said Director of AP Media Relations Lauren Easton.

Last month, NSO Group published its first transparency report, in which the company said it had rejected "more than $300 million in sales opportunities as a result of its human rights review processes." Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation and a strident critic, tweeted: "If this report was printed, it would not be worth the paper it was printed on."

Since 2019, the UK private equity firm Novalpina Capital has controlled a majority stake in NSO Group. Earlier this year, Israeli media reported the company was considering an initial public offering, most likely on the Tel Aviv Stock Exchange.

Last week, Microsoft said it had blocked tools developed by the Israeli company, issued a software update, and worked with the Citizen Lab at the University of Toronto to investigate the NSO Group.

"A world where private sector companies manufacture and sell cyberweapons is more dangerous for consumers, businesses of all sizes and governments," Microsoft said in a blog post.

Subscribe to Israel Hayom's daily newsletter and never miss our top stories!

Thursday's disclosure by Microsoft was part of what the company said was a broader effort to "address the dangers" caused by hacker-for-hire companies. Microsoft is supporting Facebook in its lawsuit against NSO Group.

Facebook filed a federal civil suit in 2019 allegedly that NSO Group targeted some 1,400 users of Facebook's encrypted messaging service WhatsApp with highly sophisticated spyware.

A group of employees from NSO Group filed a counter lawsuit against Facebook, saying the social media giant had unfairly blocked their private accounts when it sued NSO.

The NSO employees said their Facebook and Instagram accounts, and also those of former workers and family members, had been blocked. They petitioned the Tel Aviv District Court to order Facebook to unblock the accounts, which they claim was done abruptly and without notice.

The post Report: Israeli firm's spyware used to target prominent figures worldwide appeared first on www.israelhayom.com.