Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

1/7/2020
05:45 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

DHS Warns of Potential Iranian Cyberattacks

Recent US military action in Baghdad could prompt retaliatory attacks against US organizations, it says.

Concerns about an Iranian cyber response to the recent American military strike in Baghdad grew this week with the US Department of Homeland Security urging organizations to be on heightened alert for denial-of-service and other more destructive attacks.

In an alert Monday, the DHS's Cybersecurity and Infrastructure Security Agency (CISA) warned US organizations about Iran's historic use of cyberattacks to retaliate against perceived foes. "Iran has a history of leveraging asymmetric tactics to pursue national interests beyond its conventional capabilities," the CISA alert noted.

In recent years, cyber groups operating on behalf of the Iranian government have improved their offensive capabilities in carrying out denial of service, website defacement attacks, and data theft. "They have also demonstrated a willingness to push the boundaries of their activities, which include destructive wiper malware and, potentially, cyber-enabled kinetic attacks," CISA said.

The CISA alert is the first public acknowledgement from the US government about potential Iranian cyberattacks in response to the US drone strike last week that killed Gen. Qassem Soleimani. Several security vendors, including Crowdstrike and Recorded Future, have noted the possibility of such attacks in recent days, citing past precedent.

According to Crowdstrike, while there is no evidence of a specific threat emanating from Iranian nation-state actors at this time, US organizations should assume a defensive posture all the same. Current intelligence suggests that organizations in the government, defense, financial, and oil and gas sectors will be the most likely targets for attacks, the security vendor said.

Recorded Future said it believes that Iranian cyber groups will try to use networks they already have compromised in previous espionage activities to carry out new attacks. Other likely tactics include the use of web shells, password spraying, and commodity and custom malware to break into target networks. In addition to US-based targets, Iranian cyber operatives likely will target organizations in the Persian Gulf as well as US allies and partners in the region, Recorded Future said.

Multiple Iran-based cyber groups with suspected ties to the government and the country's Islamic Revolutionary Guard Corps are believed to have the capability to disrupt and damage operations at US organizations. Top among them are APT33, one of the most active threat groups operating out of the Middle East; APT34 (aka OilRig/MUDDYWATER); and APT39, a relatively newly surfaced group that targets companies in the technology, travel services, and telecommunications sectors.

"APTs 33 and 34 are primarily focused on financial, energy, telecom, and SCADA/ICS," says Rosa Smothers, a former CIA technical intelligence officer and senior VP of cyber operations at KnowBe4. Private sector companies responsible for critical infrastructure are often unaware these threat actors already might have a presence on their network. That poses a threat because the Iranian government and its hacker proxies are likely to first consider targets where they currently maintain persistence.

"If organizations are fully defending against APTs — utilizing defense-in-depth methods, educating users about how to spot phishing and rejecting known breached and common passwords — then your technical bases should be covered," Smothers says.

Recommended Actions
Organizations in targeted sectors should be keeping an eye out for activities, indicators of compromise, and the tactics, techniques, and procedures associated with these APT groups says Anuj Goel, CEO of Cyware Labs. Examples of tools used by these groups include njRAT, RevengeRAT and NonoCoreRAT, he says. "Most recently, APT33, Iran's most potent cybercriminal group, was found probing physical control systems used in electric utilities, manufacturing, and oil refineries using password-spraying attacks," Goel says.

This week's CISA alert listed multiple Iranian APT group techniques that US organizations should be monitoring for, including credential dumping, file obfuscation, PowerShell misuse, and the abuse of other legitimate system features such as Registry run keys and the startup folder.

The alert also recommended several actions that organizations can take to mitigate their exposure to potential attacks. Among them was the need to disable unnecessary ports and protocols, enhance monitoring of email and network traffic, patch externally facing systems, and limiting and logging PowerShell use.

"Scrub accounts that are no longer active, and investigate accounts that log in at odd hours," Smothers adds. "Iranian activities were previously [discovered] due to activity occurring only during Iranian government business hours."

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "What Tools Will Find Misconfigurations in My AWS S3 Cloud Buckets?"

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
tdsan
0%
100%
tdsan,
User Rank: Ninja
1/9/2020 | 1:42:04 PM
Interesting, but this is nothing new
We (US) have been attacking Iran (Stuxnet) and Utility Grid (Nitro-Zeus) for years. We have embedded ASIC chips and software inside their network.



They have reverse engineered this technology and now they are using it against us (have people forgotten where Ramsomeware came from, we initially designed it and now the attackers are using it against us).



That's what happens when nation-states are not upfront with each other and their underhanded tactics cause a ripple effect in the country's economy, the old adage is why not work together to resolve the issues of the people instead of initiating these right-wing, secret wars that we constantly embark on.



At some point, we have to say enough is enough and work together as a country to put an end to all of the underhanded attacks that we have caused, instead of acting like a bully.

T

 
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7227
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.