Iranian hacktivists carried out an attack on the supply chain of Israeli universities by initially breaching the systems of a local technology supplier for the academic sector.
The self-styled Lord Nemesis group boasted online that it had used stolen credentials from Rashim Software to hack into the systems of the vendor’s customers, universities and colleges in Israel. According to Op Innovate, an incident response company that assisted one of the victim universities, the hack-and-leak operation began around November 2023. According to the company it is “highly likely” that student data from that institute were disclosed following the cyber attack.
Rashim, a provider of academic administration software, including a student-focused CRM package, did not respond to Dark Reading’s inquiries about the alleged breach.
Hacking weak access controls
In a detailed blog postIsraeli security consultancy Op Innovate said the hacking operation on Rashim relied on a combination of weak access controls and unstable authentication controls.
Rashim maintained an administrator user account on at least some of his clients’ systems, Op Innovate found. “By hijacking this administrator account, the attackers were able to access numerous organizations using their VPN [virtual private network] which relied on CRM Michlol [customer relationship management]potentially compromising the security of these institutions and putting their data at risk,” the IR consultancy wrote in its report.
Stronger authentication controls would normally offer a barrier against this type of attack, but Rashid relied on email-based authentication. So after attackers compromised Rashim’s Microsoft Office365 infrastructure as part of a larger attack against its databases and other systems, email authentication as a defense fell apart.
Nemesis Kitten
On March 4, four months after the initial breach, Lord Nemesis used his access to Rashim’s internal Office365 infrastructure to send the software company’s customers, colleagues and partners a message from the company’s email account announcing that he had “full access to Rashim’s infrastructure”. “
THE Hacktivists based in Iran separately uploaded videos that supposedly document how they were able to delete branches from Rashim’s databases. They also released personal videos and images of Rashim’s CEO in an apparent attempt to harass and intimidate the company.
Lord Nemesis, also known as Nemesis Kitten, initially emerged in late 2023, and the Rashim breach represents the newly formed group’s first significant cyberattack.
Roy Golombick, CMO of Op Innovate, told Dark Reading that exactly how the attackers gained access to Rashim Software’s systems remains confidential due to an ongoing investigation into the incident.
Golombick did, however, share some details of the hacktivist profession. “The group used a known malicious IP from a local proxy server to Israel, thus bypassing the geo-blocking. This IP provided our research group with valuable IOC [indicator of compromise] to identify login attempts,” Golombick explained.
Op Innovate was able to confirm that Lord Nemesis agents had successfully breached Rashim Software’s administrator account, which held privileged access to the institution’s student CRM system.
“Exploiting these elevated credentials, the attackers connected to the institution’s VPN outside of normal business hours and began data exfiltration,” according to Op Innovate’s report.
Analysis of the logs revealed that the attackers had targeted servers and databases, including a SQL server containing sensitive student data. However, Op Innovate was unable to find definitive evidence that students’ personal data was stolen as a result of the attack, but still concluded that such sensitive information was likely exposed.
The cyberattack appears limited to entities in Israel. “As far as we know, and based on the attacker’s Telegram channel, it appears that the attack specifically targets Israeli organizations,” Golombick says.
Software supply chain risk
The attack illustrates the risk to organizations resulting from their reliance on third-party vendors and partners. Instead of directly targeting a targeted organization, attackers find it increasingly easier to breach software or technology vendors supply chain attacks which provide them with a springboard into multiple networks of potential victims.
Golombick compared the attack on Rashim and his clients to the previous one”Pay2Key” launched against the Israeli maritime and logistics sector in December 2020. Both incidents illustrate the importance of taking proactive measures to minimize supply chain risk.
“This includes the implementation of MFA [multi-factor authentication] across all users, not least those used by third-party vendors, and monitoring accounts for suspicious behavior such as after-hours activity” and other red flags, Golombick advises.
Not surprisingly, he also suggests hiring a reputable IR firm “to ensure a quick response and make those critical first hours count,” he says.