November 6, 2023 at 06:54AM
Since January 2023, an Iranian advanced persistent threat (APT) group called Agrius, also known as Agonizing Serpens, BlackShadow, Pink Sandstorm, and DEV-0022, has been targeting higher education and technology organizations in Israel. The group, believed to be sponsored by the Iranian government, is engaging in espionage and destructive attacks, mainly against entities in Israel and the United Arab Emirates. They have used various techniques, including deploying wipers to cover their tracks and stealing personally identifiable information and intellectual property. This group has shown an emphasis on stealth and evasive techniques to bypass security solutions.
Key Takeaways from Meeting Notes:
1. Since January 2023, an Iranian advanced persistent threat (APT) actor known as Agrius has been targeting higher education and technology organizations in Israel with wipers.
2. The APT actor has been active since at least 2020, believed to be sponsored by the Iranian government.
3. The threat actor has been launching espionage and destructive attacks mainly in Israel and the United Arab Emirates, but also targeted a diamond industry firm in South Africa.
4. From January to October 2023, Agrius launched an offensive campaign targeting education and tech organizations in Israel to steal personally identifiable information (PII) and intellectual property, using wipers to cover its tracks.
5. Agrius employed multiple web shells and vulnerable web-facing servers for initial access, using various PoC exploits, pentesting tools, and custom utilities to bypass protections.
6. The APT actor used publicly available tools for reconnaissance, credential theft, lateral movement, and data exfiltration.
7. The Sqlextractor utility was used to query SQL databases and harvest sensitive information.
8. Agrius attempted to execute three different wipers during the attack, all showing code similarities with previous Agrius wipers.
9. The wipers used by Agrius included MultiLayer, PartialWasher, and BFG Agonizer, each with different functionalities and techniques to erase files and prevent recovery.
10. The group behind Agrius attempted to bypass endpoint detection using multiple techniques and upgraded their capabilities to focus on stealth and evasive techniques.
11. Palo Alto Networks concludes that Agrius has upgraded its capabilities to bypass security solutions like EDR technology.