Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations

    Thursday, August 29, 2024 In: Threat Research Print

    Date: 08/29/2024

    Severity: High

    Summary

    "Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations" refers to the involvement of cybercriminal groups or state-sponsored actors from Iran in conducting ransomware attacks against organizations in the United States. These Iranian cyber actors use sophisticated techniques to infiltrate networks, deploy ransomware, and demand ransoms, often targeting critical infrastructure and businesses. The goal is typically financial gain, disruption, or both. This situation highlights the growing threat of state-affiliated cybercrime and the need for enhanced cybersecurity measures.

    Indicators of Compromise (IOC) List

    URL/Domain

    sophos.one

    api.gupdate.net

    forticloud.online

    githubapp.net

    cloud.sophos.one

    login.forticloud.online

    fortigate.forticloud.online

    IP Address

    78.141.238.182

    138.68.90.19

    45.76.65.42

    167.99.202.130

    134.209.30.220

    13.53.124.246

    193.149.187.41

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    URL/Domain

    userdomainname like "api.gupdate.net" or url like "api.gupdate.net" or userdomainname like "forticloud.online" or url like "forticloud.online" or userdomainname like "githubapp.net" or url like "githubapp.net" or userdomainname like "cloud.sophos.one" or url like "cloud.sophos.one" or userdomainname like "login.forticloud.online" or url like "login.forticloud.online" or userdomainname like "fortigate.forticloud.online" or url like "fortigate.forticloud.online" or userdomainname like "sophos.one" or url like "sophos.one"

    IP Address

    dstipaddress IN ("78.141.238.182","138.68.90.19","45.76.65.42","167.99.202.130","134.209.30.220","13.53.124.246","193.149.187.41") or ipaddress IN ("78.141.238.182","138.68.90.19","45.76.65.42","167.99.202.130","134.209.30.220","13.53.124.246","193.149.187.41") or publicipaddress IN ("78.141.238.182","138.68.90.19","45.76.65.42","167.99.202.130","134.209.30.220","13.53.124.246","193.149.187.41") or srcipaddress IN ("78.141.238.182","138.68.90.19","45.76.65.42","167.99.202.130","134.209.30.220","13.53.124.246","193.149.187.41")

    Reference:

    https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a


    Tags

    CISARansomwareMalware

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.