Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.


#1

Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S. (Mar 27, 2019)

Researchers from Symantec observed the Iranian Advanced Persistent Threat (APT) group, "Elfin," (also known as APT33) to be exploiting a registered vulnerability (CVE-2018-20250) in "WinRAR" to attack various organisations. Elfin is known to target Middle Eastern countries, specifically Saudi Arabia, as well as the United States, and sectors such as chemical, consulting, engineering, finance, governmental, manufacturing, research, telecoms, and several others. The attack with the WinRAR vulnerability targeted Saudi Arabian chemical organisations through phishing emails that allowed remote code execution on the infected computer once opened. The APT group is known for utilising both custom and open-sourced malware tools, and was linked to the malware, "Shamoon."

Recommendation: Defence-in-depth (layering of security mechanisms, redundancy, fail-safe defence processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spear phishing and how to identify such attempts.

Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.