Full Report
We are observing an increase of wiper attacks by the Iran-linked Handala Hack group (aka Void Manticore) through phishing and misuse of Microsoft Intune. The post Insights: Increased Risk of Wiper Attacks appeared first on Unit 42.
Analysis Summary
Based on the intelligence provided by Unit 42 regarding recent wiper campaigns, here is the structured summary for the threat actor in question.
# Threat Actor: Handala Hack
## Attribution & Identity
* **Name:** Handala Hack
* **Aliases:** Void Manticore (tracked by Check Point)
* **Attribution:** Identified as an Iran-linked threat actor.
* **Associations:** Known to align with Iranian geopolitical interests; frequently utilizes psychological operations (PsyOps) alongside destructive attacks.
## Activity Summary
Handala Hack has shifted from primarily "leak and shame" influence operations to high-impact destructive attacks. Recent campaigns involve:
* **Intune Misuse:** Exploiting Microsoft Intune to distribute malicious payloads directly to managed endpoints.
* **Wiper Distribution:** Deploying destructive malware (wipers) designed to render systems unrecoverable.
* **Phishing:** Using sophisticated social engineering to gain initial access, often bypassing MFA through tailored lures.
## Tactics, Techniques & Procedures
* **Phishing (T1566):** Delivering malicious links or files via email to harvest credentials or deploy initial access tools.
* **Cloud Administration Tool Misuse (T1078.004):** Leveraging compromised administrative credentials to push malware via Microsoft Intune.
* **Data Destruction (T1485):** Deploying custom wiper malware to overwrite files and disk structures.
* **Multi-Factor Authentication (MFA) Bypass:** Using techniques such as adversary-in-the-middle (AiTM) or session token theft to circumvent security controls.
* **Influence Operations:** Using Telegram channels to leak stolen data and claim credit for attacks to create a sense of instability.
## Targeting
* **Sectors:** Government, critical infrastructure, technology, and private sector enterprises.
* **Geography:** Primary focus on Israel, though the actor's scope can expand to global entities perceived as adversaries to Iranian interests.
* **Victims:** Various Israeli government and commercial entities (as indicated by the actor's Telegram claims).
## Tools & Infrastructure
* **Malware:**
* **Custom Wipers:** Various unnamed wiper variants used to corrupt file systems.
* **Foudre (and variants):** Associated with Iranian destructive campaigns.
* **Infrastructure:**
* **Microsoft Intune:** Used as a delivery mechanism for malicious packages.
* **Telegram:** Primary C2 for influence operations and victim shaming.
* **Phishing Domains:** `f-panel-login[.]com` (Example of typical defanged infrastructure).
## Implications
* **Escalation of Impact:** The shift from data theft to data destruction indicates a higher risk appetite and an intent to cause tangible operational downtime.
* **Supply Chain/Admin Abuse:** By targeting MDM (Mobile Device Management) solutions like Intune, the actor can achieve rapid, automated deployment of malware across an entire organization, bypassing local endpoint protections that might otherwise flags isolated downloads.
## Mitigations
* **Secure Microsoft Intune:** Implement strict Conditional Access policies for Intune administrators. Enable "Just-In-Time" (JIT) access and hardware security keys (FIDO2) for admin roles.
* **Monitor for Mass Changes:** Set alerts for the creation of new "Scripts" or "Apps" within the Intune console, particularly those distributed to "All Devices."
* **Phishing Protection:** Utilize advanced email security solutions capable of detecting AiTM phishing attempts and credential harvesting sites.
* **Backup and Recovery:** Maintain offline, immutable backups. Test restoration procedures regularly to ensure resilience against wiper attacks.
* **Endpoint Defense:** Ensure EDR/XDR solutions are configured to monitor for unauthorized execution of administrative tools and scripts (PowerShell, CMD) triggered by management agents.