Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa.
Pilfered Data From Iranian Insurance and Food Delivery Firms Leaked Online
Online food ordering service and insurance firms hit by mystery hackers using the moniker "irleaks."
January 3, 2024
Cybercriminals broke into the systems of 23 leading Iranian insurance firms and SnappFood, Iran's leading online food ordering service, dumping millions of user profiles.
The sample from the insurers' leak included names, phones, identity numbers, addresses, passport numbers, and other sensitive details from the insurance companies including Kowsar, Atieh, Asia, and Alborz. Security researchers at Israel-based threat intel firm Hudson Rock, who discovered the data dump, confirmed that the data "appears to be genuine."
SnappFood Skewered
After the attack on the insurance firms, the attackers — operating under the alias "irleaks" (presumably indicating Iran Leaks) — boasted that they had broken into the systems of SnappFood, Iran's leading online food ordering service, and claiming to have exfiltrated 3TB of highly sensitive data.
This data is said to include data from 20 million user profiles (emails, passwords, phone numbers), 51 million users' addresses and 600,000 credit card records.
Snappfood issued a holding statement a day later, saying that it was was working with local police agencies to "identify and remove the source of pollution caused by the actions of this hacking group."
StealC Info-Stealer
Hudson Rock researchers determined that a computer used by a Snappfood employee — most likely a software developer — was recently infected by the StealC info-stealer. Although unconfirmed as the source of the attack, the malware created a conduit through which sensitive data may have been extracted.
"The infection of this employee's computer resulted in many sensitive credentials of the organization being accessible to some hackers and may have been used as an initial attack vector against the company," Hudson Rock explained in its blog post. "Some of the data includes login details to the company's Confluence server, Jira server, and other development related URLs."
The motives behind the twin attacks remain unclear but circumstantial evidence points towards cyber espionage rather than profit-driven cybercrime, according to Hudson Rock.
"Given the extensive involvement of leading companies in the breaches, the carefully curated samples, and that the threat actor's account is new to the forum, it seems probable that this is a state-sponsored attack intending to sow internal chaos within Iran," says Alon Gal, CTO at Hudson Rock. "However, it's also plausible that it's a sophisticated threat actor who adeptly infiltrated multiple organizations within Iran."
Insider Error?
The most likely cause of the initial StealC infection came from a software developer at Snappfood downloading a software package infected by the malware, a pattern in previous similar attacks. But that remains unconfirmed and some form of spear phishing attack or other unknown vector may well be to blame.
"The StealC type info stealer that infected an employee at SnappFood is a probable initial attack vector that may have been used in the attack, though we can't know this for certain," Hudson Rock's Gal explained. "Threat actors often take advantage of corporate credentials that are stolen by info stealers, and in the case of this SnappFood compromised employee Hudson Rock did identify many sensitive credentials that could have been used against the organization."
StealC has featured in malware-spreading campaigns by cybercriminals looking to infect as many computers as possible. These groups (sometimes known as initial access brokers) resell any compromised credentials to often more experienced threat actors whose expertise is in identifying critical credentials, and infiltrating organizations to perform ransomware attacks, cyberattacks, and account takeovers.
Read more about:
DR Global Middle East & AfricaAbout the Author(s)
You May Also Like
Is AI Identifying Threats to Your Network?
May 14, 2024Where and Why Threat Intelligence Makes Sense for Your Enterprise Security Strategy
May 15, 2024Safeguarding Political Campaigns: Defending Against Mass Phishing Attacks
May 16, 2024Why Effective Asset Management is Critical to Enterprise Cybersecurity
May 21, 2024Finding Your Way on the Path to Zero Trust
May 22, 2024
Black Hat USA - August 3-8 - Learn More
August 3, 2024Cybersecurity's Hottest New Technologies: What You Need To Know
March 21, 2024