Call today to start protecting your business:      (888) 987-1335


Security Validation Posts

Iran-Cyber Response Bulletin

HISTORY OF CYBER ATTACKS FROM IRAN


High profile attacks believed to be orchestrated by Iran have targeted the energy industry, financial services and government facilities. Défense, Communications, Healthcare and Manufacturing have also been targeted by threat actor groups with links to Iran.

2011 TO MID-2013
Distributed Denial of Service attacks were used against websites belonging to 46 U.S. bank, preventing customers from accessing or servicing their accounts online. The fallout from this attack cost the banks millions of dollars. The US Department of Justice indicted seven Iranian nationals in March 2016 for conducting the attacks on behalf of the IRGC.

LATE 2013
An individual accessed supervisory control and data acquisition (SCADA) systems at the Bowman Avenue Dam in Westchester County in the fall of 2013, obtaining sensitive information critical to the operation of the dam. The US DoJ indicted an Iranian national for illegally accessing the dam and the data. The attack was believed to be connected to the DDoS attacks conducted against US banks.

EARLY 2014
An attack on the Sands Las Vegas Corporation in 2014 first exfiltrated data, including credit card, drivers license numbers and Social Security numbers before wiping the corporations computer systems. The U.S. Director of National Intelligence attributed to the attack to Iran.

2013 - 2017
Hundreds of U.S. and foreign academic institutions, as well as a large number of private sector companies, were targeted over an extended period in thefts of email credentials and intellectual property. Nine Iranian nationals were indicted by the US DoJ in March 2018 for the attacks.

2019 To Present
The Deadwood family of wiper malware was used against specific targets in Saudi Arabia during mid-2019. Microsoft analysts attributed the attack to Iran’s highly active, APT33. In December 2019, the ZeroCleare wiper malware was found to have been used in multiple attacks against targets including
Middle Eastern energy companies and firms in the industrial sector. IBM researchers attributed the attack to Iranian group APT34.

Recommended Actions

1. Disable unnecessary ports and protocols. A review of your network security device logs should help you determine which ports and protocols are exposed but not needed. For those that are, monitor these for suspicious, ‘command & control’-like activity.


2. Log and limit the use of PowerShell. If a user or account does not need PowerShell, disable it via the Group Policy Editor. For those that do, enable code signing of PowerShell scripts, log all PowerShell commands and turn on ‘Script Block Logging’.


3. Set policies to alert on new hosts joining the network. To reduce the possibility of ‘rogue’ devices on your network, increase visibility and have key security personnel notified when new hosts attempt to join the network.


4. Backup now and test your recovery process for business continuity. It is easy to let backup policies slide or fail to prove that you can restore in practice. Also, ensure you have redundant backups, ideally using a combination of hot, warm and cold sites.


5. Step up monitoring of network and email traffic. The most common vectors for intruders are unprotected devices on your network and targeted phishing emails. Follow best practices for restricting attachments via email and other mechanisms and review network signatures. Particular focus should be placed on external-facing hosts which are being targeted by password-spraying and brute-force login attempts. Externally exposed systems, where multi-factor authentication cannot be implemented, should be monitored carefully. Attempting to compromise VPN servers without 2FA (for example) is a well-established TTP for Iranian-based actors.


6. Patch externally facing equipment. Attackers actively scan for and will exploit vulnerabilities, particularly those that allow for remote code execution or denial of service attacks. Implement multi-factor authentication where necessary (ex: VPN servers).


7. Monitor systems and applications in real time 24x7.  Human interaction is necessary to get in front of attacks and to mitigate damage.   Timely identification of intrusions will save your organization hundreds of thousands of dollars in downtime, fines and penalties.  For many of you staffing will be a challenge.  Engage a 24x7 Hospitality focused MSSP to ensure threats are identified and remediated.


8. Ensure File Integrity Monitoring is enabled and capturing changes to key executable and binary files.


9. Ensure Logging and Monitoring is enabled for forensic investigations.



Mitigation

Current SecValMSP with SentinelOne Endpoint Protection users are protected against TTPs associated with known Iranian-based threat groups/actors. When integrated with your Fortinet Firewall Full detection & prevention is available, in the current agents, for known malware and tools associated with the campaigns and groups noted below.

Known Tools

Mitre ATT&CK IDs noted aside each TTP where possible

Alma Communicator
BOUNDUPDATER
CACHEMonkey
CadelSpy / Remexi (S0375)
Cobalt Strike (S0154)
CsExt
DarkComet (S0334)
DistTrack (S0140)
DownPaper (S0186)
Empire (S0363)
FireMalv
Foudre
GHOLE
Havij (S0224)
ISMdoor
ISMInjector (S0189)
Jasus
KAgent
LaZagne (S0349)
Madi
Matryoshka
Metasploit
Mimikatz (S0002)
NanoCore (S0336)
NBTScan
Net Crawler (S0056)
NetSrv (S0154)
Netwire (S0198)
njRAT (S0385)
OopsIE (S0264)
PowBAT
POWERSTATS (S0223)
Powerton (S0371)
Puppy / PupyRAT (S0192)
QUADAGENT (S0269)
QuasarRAT (S0262)
Remcos (S0332)
RGDoor (S0258)
SamSam (S0370)
SHARPSTATS
Spynote (S0305)
STealer Builder
StoneDrill (S0380)
SynFlooder
TDTESS (S0164)
TinyZbot (MS0004)
TurnedUp (S0199)
WCE (S0005)
WndTest
ZPP

THREAT GROUPS

Mitre ATT&CK IDs noted aside each TTP where possible

APT 33 (G0064)
APT 34 / OilRig / Helix Kitten (G0049)
APT 35 / Rocket Kitten / Cobalt Gypsy (G0059)
APT 39 / Chafer (G0087)
Cadelle
Copy Kittens / Slayer Kitten (G0052)
Cobalt Dickens
Domestic Kitten
Gold Lowell / Boss Spider
GreenBug (G0049)
Group 26 / Flying Kitten (G0059)
Group 41 / Clever Kitten
Group 5 (G0043)
Group 83 / Charming Kitten (G0058)
Iridium
LazyMeerkat / DarkHydrus (G0079)
Leafminer / Raspite (G0077)
MagicHound (G0059)
Mahdi
Mermaid / Infy
Muddy Water / Static Kitten (G0069)
Silent LIbrarian / Mabna Institute
TG-2889 / Cutting Kitten (G0059)

NOTABLE CAMPAIGNS

Ababil / ApAbabil (2012)
Australian Parliament Hack (2018)
Bowman Avenue Dam Attack (2013)
Blackwater (2019)
Citrix Hack (2018)
Operation Cleaver (2012)
Operation Mermaid (2015)
Operation Newscaster (2011)
Saffron Rose (2013)
Shamoon / Shamoon2.0 (2012 / 2016)
Thamar Reservoir (2014)
Wilted Tulip (2013)
Woolen Goldfish (2015)

HISTORICAL IOCS


Contact SecValMSP for HASH, Application and Indications of Compromise Data.

The following table lists malware & tools which are associated with Iranian-based campaigns
(historically). They are singular and specific examples which are meant as a reference. Future
attacks/campaigns will likely utilize new/updated/different variants of these tools and malware
families. The core predictive static and behavioral AI engines, inherent to SentinelOne Endpoint
Protection, are capable of preventing said future instances.