Cybersecurity researchers link attackers to the Iranian-backed APT group “Agonizing Serpens,” which has upgraded its capabilities and uses various tools to bypass security measures.
Hackers target and steal sensitive data for various reasons, including:
They may sell the stolen data on the black market, use it for blackmail, or exploit it for fraudulent activities. Unit 42 researchers recently discovered a series of cyberattacks targeting Israeli education and tech sectors, aiming to steal data and render endpoints unusable.
Iranian-linked APT Agonizing Serpens has been active since 2020, using wipers and fake ransomware in attacks targeting Israeli organizations. They aim to steal data and disrupt business continuity, often publishing stolen info on social media.
Here below, we have mentioned the other names of Agonizing Serpens:-
Attackers exploited web servers for initial access, deploying web shells. These shells, similar to past Agonizing Serpens attacks, conducted reconnaissance and network mapping using common scanners that are publicly available.
Basic reconnaissance commands via the web shells (Source – Unit 42)
Here below we have mentioned the scanners:-
The attackers attempted to gain admin credentials, but Cortex XDR blocked their methods. Here below we have mentioned all the attempted methods:-
The attackers employed Plink (as systems.exe) for lateral movement, aimed at data theft and wiper execution. They used tools like WinSCP and Putty, along with a custom sqlextractor (sql.net4.exe) for exfiltration.
Here below we have mentioned the types of data extracted:-
The attackers tried using WinSCP and pscp.exe for file exfiltration, seeking specific file types containing stolen data.
The group tried to bypass EDR, but Cortex XDR blocked their attempts. They used various known techniques not seen in previous attacks, indicating increased sophistication.
The attackers used a custom tool called agmt.exe, likely derived from drvIX based on the PDB path. Agmt.exe is a custom loader for the GMER driver, AGMT.sys. It can terminate a specified target process by registering and starting the AGMT service.
After failing to exploit the GMER driver, the attackers turned to the drvIX tool, leveraging a new vulnerable driver from a public PoC tool called BadRentdrv2.
Cybersecurity researchers at Unit 42 found the following new wipers and tools used by the operators of the Agonizing Serpens group:-
Patch Manager Plus: Automatically Patch over 850 third-party applications quickly – Try Free Trial.
A very important message from the Norwegian National Cyber Security Centre (NCSC) says that Secure Socket Layer/Transport Layer Security (SSL/TLS)…
Linux is widely used in numerous servers, cloud infrastructure, and Internet of Things devices, which makes it an attractive target…
ViperSoftX malware, known for stealing cryptocurrency information, now leverages Tesseract, an open-source OCR engine, to target infected systems, which extracts…
Santander has confirmed that there was a major data breach that affected its workers and customers in Spain, Uruguay, and…
The U.S. government has offered a prize of up to $5 million for information that leads to the arrest and…
Russia leverages a mix of state-backed Advanced Persistent Threat (APT) groups and financially motivated cybercriminals to achieve its strategic goals,…