Outrageous OPSEC: What happens when skiddies play natsec

Rocket Kitten phishermen self-d0x with hard-coded credentials

CheckPoint has raided the servers of a bumbling alleged Iranian hacking group using credentials hardcoded into malware, using its access to name suspected members.

The Rocket Kitten group was revealed September 2014 and later in more detail March targeting organisations throughout the Middle East with persistent, successful, but unsophisticated phishing emails.

CheckPoint has entered the fray into its latest report (pdf), finding holes in the groups horrendously poor operational security to discover what it says is likely the true identities of at least two members.

While attribution is a messy and dangerous business, Rocket Kitten's supreme operational security failures provided the unnamed Check Point researchers with plenty of evidence to link hacker aliases with names: command and control credentials were hardcoded into the malware, and the VXers failed to remove infections on their own machines.

"...we spotted this gem of an operational security mistake in the SQLi instructional video which precisely provided the smoking gun we were after … [the hacker] was now caught giving a public tutorial while logged in under his secret alias, otherwise unlinked with his real identity.

"Among many logged keystroke files containing stolen data, we stumbled on an astonishing discovery: the Rocket Kitten attackers had infected their own workstations, apparently as ‘test-runs’ [and] failed to remove these files from the command and control server, demonstrating, yet again, utter lack of operational security.

"If all that wasn’t enough, we also managed to retrieve an updated resume for [one of the attackers]."

Check Point boffins reckon the crew was pulled off it script kiddie web defacement efforts by Tehran and recruited into targeted espionage "at the service of their country".

A resume Check Point obtained on one of the attackers via yet more lousy operational security alleges he developed malware for Tehran.

Rocket Kitten appears based on collective research to seek information on actors and information on foreign policy and defense, and are not seeking cash.

The pwned Rocket Kitten portal.

The pwned Rocket Kitten portal.

One in four targets will enter credentials on Rocket Kitten's phishing pages. Victims include Israeli nuclear scientists and physicists, ex-military, Saudi scholars, NATO regional posts, and various media outlets. Hundreds of campaigns, labelled 'projects', have been developed to pop victims.

Researchers at Trend Micro and ClearSky were themselves targeted by the group who late this year attempted to coax them over Facebook messages into opening malware.

The hacking group has since brazenly used the ClearSky name to send Rocket Kitten alerts ostensibly from the security company to targets with a would-be detection tool attachment that actually infects machines. ®

Similar topics

Other stories you might like

  • Want to buy your own piece of the Pi? No 'urgency' says Upton of the listing rumours

    A British success story... what happens next?

    Industry talk is continuing to circulate regarding a possible listing for the UK makers of the diminutive Raspberry Pi computer.

    Over the weekend, UK newspaper The Telegraph reported that a spring listing could be in the offing, with a valuation of more than £370m slapped onto the computer maker.

    Pi boss, Eben Upton, described the article as "interesting" in an email to The Register today, before repeating that "we're always looking at ways to fund the future growth of the business, but the $45m we raised in September has taken some of the urgency out of that."

    Continue reading
  • JetBrains embraces remote development with new IDE for multiple programming languages

    Security, collaboration, flexible working: Fleet does it all, says project lead

    JetBrains has introduced remote development for its range of IDEs as well as previewing a new IDE called Fleet, which will form the basis for fresh tools covering all major programming languages.

    JetBrains has a core IDE used for the IntelliJ IDEA Java tool as well other IDEs such as Android Studio, the official programming environment for Google Android, PyCharm for Python, Rider for C#, and so on. The IDEs run on the Java virtual machine (JVM) and are coded using Java and Kotlin, the latter being primarily a JVM language but with options for compiling to JavaScript or native code.

    Fleet is "both an IDE and a lightweight code editor," said the company in its product announcement, suggesting perhaps that it is feeling some pressure from the success of Microsoft's Visual Studio Code, which is an extensible code editor. Initial language support is for Java, Kotlin, Go, Python, Rust, and JavaScript, though other languages such as C# will follow. Again like VS Code, Fleet can run on a local machine or on a remote server. The new IDE uses technology developed for IntelliJ such as its code-processing engine for features such as code completion and refactoring.

    Continue reading
  • Nextcloud and cloud chums fire off competition complaint to the EU over Microsoft bundling OneDrive with Windows

    No, it isn't the limited levels of storage that have irked European businesses

    EU software and cloud businesses have joined Nextcloud in filing a complaint with the European Commission regarding Microsoft's alleged anti-competitive behaviour over the bundling of its OS with online services.

    The issue is OneDrive and Microsoft's habit of packaging it (and other services such as Teams) with Windows software.

    Nextcloud sells on-premises collaboration platforms that it claims combine "the convenience and ease of use of consumer-grade solutions like Dropbox and Google Drive with the security, privacy and control business needs." Microsoft's cloud storage system, OneDrive, is conspicuous by its absence.

    Continue reading

Biting the hand that feeds IT © 1998–2021