Iran Hackers Use New Cavern C2 Framework on Israel
An Iranian hacking group, linked to Iran's Ministry of Intelligence and Security (MOIS), has been actively employing a newly discovered modular command-and-control (C2) framework called Cavern (also known as Cav3rn). This sophisticated framework has been specifically deployed to target organizations within Israel, with a primary focus on the IT provider and government sectors. The threat cluster responsible for this activity has been identified and tracked by Check Point Research, which published its findings on May 15, 2024.
The Cavern framework is characterized by its modular design, allowing the attackers to adapt and deploy various functionalities as needed. This adaptability makes it a potent tool for persistent access and data exfiltration. Check Point Research's analysis revealed that the framework enables the threat actors to conduct reconnaissance, maintain a foothold within compromised networks, and execute malicious commands remotely. The specific techniques observed suggest a high level of technical proficiency and strategic planning by the group.
While the exact motivations behind these attacks are not fully detailed, the targeting of IT providers and government entities in Israel indicates a potential interest in espionage, intelligence gathering, or disruption of critical infrastructure. The use of a previously unknown C2 framework suggests the group is actively developing and employing custom tools to evade detection by cybersecurity defenses. This discovery highlights the ongoing evolution of cyber threats originating from state-sponsored or state-affiliated actors.
Check Point Research's report emphasizes the importance of robust cybersecurity measures for organizations, particularly those in sensitive sectors, to detect and mitigate advanced persistent threats (APTs). The identification of the Cavern framework provides valuable intelligence for defenders to develop specific detection rules and enhance their incident response capabilities against this particular threat actor. The ongoing monitoring of this group's activities is crucial to understanding the full scope of their operations and potential future targets.
Original source — read the full reporting at the publisher:
Read on The Hacker News