The cyber-attack that crippled Iran's national railway system at the beginning of the month was caused by a disk-wiping malware strain called Meteor, not a ransomware attack, as per the research published by security firms Amnpardaz and SentinelOne. According to Reuters, the attack caused train services to be affected as well as the transport ministry's website to fall down. But the assault wasn't simply meant to cause havoc. A number for travelers to contact for further information about the difficulties was also put into displays at train stations by the attackers. As per Juan Andres Guerrero-Saade, Principal Threat Researcher at SentinelOne, this is the first time this malware has been used and also stated Meteor is yet to be linked to a previously identified group. Meteor malware: A part of a well-planned attackThe Meteor wiper was precisely one of three components of a broader malware arsenal placed on the systems of the Iranian railway computers on July 9, according to the firm's research. The attacks, which SentinelOne tracked under the codename of MeteorExpress, and led to trains being canceled or delayed across Iran, involved: 1.Meteor – malware that wiped the infected computer’s filesystem. 2.A file named mssetup.exe that played the role of an old-school screen locker to lock the user out of their PC. 3.And a file named nti.exe that rewrote the victim computer’s master boot record (MBR). Although Guerrero-Saade did not state how or where the attack began, he did mention that once inside a network, the attackers utilized group policies to deploy their malware, deleted shadow volume copies to stop data recovery, and disconnected infected hosts from their local domain controller, to avoid sysadmins from quickly fi ..
Support the originator by clicking the read the rest link below.
