MEASURES TO BE TAKEN
In light of geopolitical events in the Middle East, the Cybersecurity and Infrastructure Security Agency (CISA) released advisory information to help organizations take steps in understanding the threat from Iran and to apply defensive measures appropriately.
HolistiCyber’s deep experience in combatting Iranian threat actors allows us to understand the following:
1) Iranian nation-state aligned groups have long conducted under-the-radar information gathering cyber operations in order to gain civilian, market, and military intelligence
2) In carrying out information gathering, these threat actors gain stealthy footholds on public and private sector IT assets. These footholds hold a dual purpose; they also serve as part of the apparatus to facilitate a cyber attack when such order is given
3) We assume that Iranian cyber groups will, if commanded, utilize these footholds to deploy cyber-extortion through ransomware or wiper malware – primarily to generate a substantial impact to share domestically and among their allies as a retaliation success story.
RECOMMENDED ACTION
Given these points, HolistiCyber would urge any organization that is part of a strategically important supply chain, or high-profile industry, to review the CISA documentation and apply its recommendations. We would also recommend that companies carry out their own Business Impact Assessments – through the eyes of an Iranian threat and understand the critical assets that are most likely to be targeted. We would then recommend the threat be modelled utilizing the TTPs associated with Iranian groups – as summarized in the CISA documentation and also available on MITRE ATT&CK. Furthermore, HolistiCyber firmly believes that a Threat Hunting approach should be adopted – in order to detect existing footholds and reveal any attack vectors that can be leveraged by these TTPs. This process will also inform any countermeasures required in order to shut down these attack paths.
TECHNICAL DETAIL
HolistiCyber recommends organizations apply the following threat hunting exercises – which have been tailored to the Iranian threat (in addition to the CISA recommendations):
1. Analyze DNS communication. (Payloads inside DNS protocol, used for C&C communication)
2. Check schedulers. (AT, CRON, Scheduled tasks, Control M, etc.), likely for time bomb attack vectors which are commonly used
3. Scan for discrepancies in Registries.
4. Search for tampers in NTP protocol and the relationship between subordinate nodes.
5. Check Exchange server-side rule sets, for unrecognized rules. Pay attention to KNOWN rules, with identical titles, but with different configurations.
6. A notable characteristic is the use of DNS for command and control communication (C&C) and for data exfiltration. This feature is available both in Cobalt Strike and in Matryoshka.
7. In past incidents, the attackers breached an IT company, and used VPN access it had to client organizations to breach their networks.
8. Email baits are likely to mention Iran in a negative context in the content of the email or in the subject title of the email or in the attachment. This threat actor has performed social engineering to this effect that several times in the past.
9. Check certificate local storage, authenticate the certificates of Microsoft, Google and others directly with authentic CA’s. This threat actor had implemented self-signed certificates in some of the servers they manage, impersonating Microsoft and Google, etc.
