Image of a palm

The Iranian Threat

MEASURES TO BE TAKEN

In light of geopolitical events in the Middle East, the Cybersecurity and Infrastructure Security Agency (CISA) released advisory information to help organizations take steps in understanding the threat from Iran and to apply defensive measures appropriately.

HolistiCyber’s deep experience in combatting Iranian threat actors allows us to understand the following:

1) Iranian nation-state aligned groups have long conducted under-the-radar information gathering cyber operations in order to gain civilian, market, and military intelligence

2) In carrying out information gathering, these threat actors gain stealthy footholds on public and private sector IT assets. These footholds hold a dual purpose; they also serve as part of the apparatus to facilitate a cyber attack when such order is given

3) We assume that Iranian cyber groups will, if commanded, utilize these footholds to deploy cyber-extortion through ransomware or wiper malware – primarily to generate a substantial impact to share domestically and among their allies as a retaliation success story.

RECOMMENDED ACTION

Given these points, HolistiCyber would urge any organization that is part of a strategically important supply chain, or high-profile industry, to review the CISA documentation and apply its recommendations. We would also recommend that companies carry out their own Business Impact Assessments – through the eyes of an Iranian threat and understand the critical assets that are most likely to be targeted. We would then recommend the threat be modelled utilizing the TTPs associated with Iranian groups – as summarized in the CISA documentation and also available on MITRE ATT&CK. Furthermore, HolistiCyber firmly believes that a Threat Hunting approach should be adopted – in order to detect existing footholds and reveal any attack vectors that can be leveraged by these TTPs. This process will also inform any countermeasures required in order to shut down these attack paths.

TECHNICAL DETAIL

HolistiCyber recommends organizations apply the following threat hunting exercises – which have been tailored to the Iranian threat (in addition to the CISA recommendations):

1. Analyze DNS communication. (Payloads inside DNS protocol, used for C&C communication)

2. Check schedulers. (AT, CRON, Scheduled tasks, Control M, etc.), likely for time bomb attack vectors which are commonly used

3. Scan for discrepancies in Registries.

4. Search for tampers in NTP protocol and the relationship between subordinate nodes.

5. Check Exchange server-side rule sets, for unrecognized rules. Pay attention to KNOWN rules, with identical titles, but with different configurations.

6. A notable characteristic is the use of DNS for command and control communication (C&C) and for data exfiltration. This feature is available both in Cobalt Strike and in Matryoshka.

7. In past incidents, the attackers breached an IT company, and used VPN access it had to client organizations to breach their networks.

8. Email baits are likely to mention Iran in a negative context in the content of the email or in the subject title of the email or in the attachment. This threat actor has performed social engineering to this effect that several times in the past.

9. Check certificate local storage, authenticate the certificates of Microsoft, Google and others directly with authentic CA’s. This threat actor had implemented selfsigned certificates in some of the severs they manage, impersonating Microsoft and Google, etc.

 

HolistiCyber

HolistiCyber enables organizations in their cyber defense challenge, providing them with state-of-the art consultancy, services & solutions to help them proactively and holistically defend themselves in a new era of constantly evolving cyber threats, many of which lead to nation state grade attacks.

Learn more…

Share:

Share on facebook
Share on twitter
Share on linkedin

We use cookies to provide the services and features offered on our website, and to improve our user experience.