U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

APT

Iran-linked Silent Librarian APT targets universities again

Iran-linked cyberespionage group Silent Librarian has launched a new phishing campaign aimed at universities around the world. Iran-linked APT group Silent Librarian has launched another phishing campaign targeting universities around the world. The Silent Librarian, also tracked as Cobalt Dickens and TA407, targeted tens of universities in four continents in the last couple of years. In […]

Silent Librarian

Iran-linked cyberespionage group Silent Librarian has launched a new phishing campaign aimed at universities around the world.

Iran-linked APT group Silent Librarian has launched another phishing campaign targeting universities around the world.

The Silent Librarian, also tracked as Cobalt Dickens and TA407, targeted tens of universities in four continents in the last couple of years.

In August 2018, the security firm SecureWorks uncovered a phishing campaign carried out by the APT group targeting universities worldwide. The operation involved sixteen domains hosting more than 300 spoofed websites for 76 universities in 14 countries, including Australia, Canada, China, Israel, Japan, Switzerland, Turkey, the United Kingdom, and the United States.

Since mid-September, researchers from Malwarebytes observed a new spear-phishing campaign carried out by the group that is expanding its target list to include more countries.

Silent Librarian hackers targeted both employees and students at the universities, experts noticed that the threat actor set up a new infrastructure to avoid a takeover.

“Considering that Iran is dealing with constant sanctions, it strives to keep up with world developments in various fields, including that of technology. As such, these attacks represent a national interest and are well funded,” states Malwarebytes. “The new domain names follow the same pattern as previously reported, except that they swap the top level domain name for another.”

The threat actor used domain names following a pattern observed in past campaigns, although they use a different top-level domain name (the “.me” TLD instead of “.tk” and “.cf”).

Silent Librarian

The hackers use Cloudflare for phishing hostnames in an attempt to hide the real hosting origin. Anyway, Malwarebytes was able to identify some of the infrastructure which was located in Iran, likely because it is considered a bulletproof hosting option due to the lack of cooperation between US and European law enforcement and local police in Iran.

“Clearly we only uncovered a small portion of this phishing operation. Although for the most part the sites are taken down quickly, the attacker has the advantage of being one step ahead and is going for many possible targets at once,” Malwarebytes concludes.

The security firm also published Indicators of Compromise (IoCs) for this campaign.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Silent Librarian)

[adrotate banner=”5″]

[adrotate banner=”13″]