On Monday, Jan 6th, DHS warned US organizations about potential cyber-attacks from Iran and Iran-backed APT groups. The CISA alert was the first public acknowledgment from the US government about potential cyberattacks as retaliation for the drone strikes that killed Iran’s top general. According to CISA, these attacks are likely to come from either Iranian intelligence, their contractors, or pro-Iran Hacktivist groups.
Within 48 hours of the drone strike, a DHS website was already defaced with an anti-American message and vowing revenge.
While news of a potential cease-fire between the countries has been circulating in the media, experts warn us not to put our guard down. They were citing the previous example of Iran attacking after talks of a cease-fire.
The CISA alert mentioned 10 ATTACK techniques based on known intel from previous attacks. These include:
- Credential Dumping
- File obfuscation
- Data compression
- User Execution
- Registry modifications
- Remote file copying and
- Spear phishing
According to Recorded Future, APT groups 33, 34, and 39 have suspected government ties to Islamic Revolution Guard Corps and are believed to be more than capable of disrupting and damaging US systems. APT34 (aka OilRig) made news recently when their ZeroCleare Wiper Malware wiped at least 1,400 systems and caused massive damage to oil companies in the Middle East. Targeting an infected driver on a Windows machine, it quickly spread to other machines via their custom Wiper malware. Wiper attacks focus on destroying infrastructure and disrupting operations rather than on data exfiltration.
According to Recorded Future, these groups are likely to target what they refer to as ‘softer targets,’ meaning systems and services that are loosely protected and easy to pick off.
These APT groups have a history of working on behalf of the Iranian government to carry out cyberattacks across many industries and services, including financial, energy, government facilities, chemical, healthcare, critical manufacturing, communications, and the defence industrial base.
For all of us, these warnings mean that IT organizations should be on high alert, which means paying close attention to our IoC during this sensitive time.
CISA recommends applying these five actions for the highest ROI:
- Disable unused ports and protocols.
- As a side note, you should also pay close attention to your logs for port scanning from outside and inside your network.
- Enhance monitoring of your network and email traffic
- This means try to get visibility into more aspects of your network. Reviewing your IDS/IPS logs, enable audit logging in your public cloud, look for IoC in your SIEM, enable sandboxing where ever possible – like your NGFW and email servers.
- Patch external-facing equipment
- This should be obvious, but if you haven’t patched a device because you can’t afford the downtime, this may be the justification you need to push out those patches.
- Log and limit the use of PowerShell
- As mentioned previously, PowerShell is a hacker’s best friend. Disable it or lock it down wherever possible
- Ensure backups are to date.
- This is specifically to protect you against ransomware. Test your backups and if needed, increase the interval of your backups until this risk has been lowered.
In addition to CISA’s recommendations and MITRE’s TTP defence – I’d also recommend you to block/alert on connections coming from Iran, Tor Nodes, or proxy servers.
Make sure you audit user accounts and disable old accounts from contractors or unused services.
Make sure you have alerts for user account logins from unusual IPs.
While these recommendations from CISA are a good starting point to any Cybersecurity plan, they are not all-encompassing. MITRE’s ATT&CK Navigator is used to view adversary groups’ techniques, tactics, and procedures. And since we know the APT groups that are likely to attack, we can use the Navigator to build out our defences based on their behaviour.
I’ve used the ATT&CK Navigator from MITRE to pull up APT 33 and 39 on this spreadsheet. I’ll also be posting a link below to the Navigator and on this spreadsheet. By using Navigator’s scoring system, we can apply colour indicators to see commonalities. APT33 is in red, group 39 in yellow, and techniques that both groups use in green—totalling over 40 techniques that these groups are known for, based on research from their previous attacks.
Our defence should be crafted around the specific attacks (or TTPs) we know APT 33 and 39 have utilized. At its most basic level, you can begin by looking up the techniques on MITRE’s website and making sure you apply the proper mitigations against each of them.
Let’s take the Initial Access category as an example. As indicated by the green, we know that both groups use spear phishing and valid accounts to gain initial access to our networks. Spear phishing, in any form, is an email that is targeting at a specific individual, usually via social media. The goal is to trick that individual into clicking on a click or downloading a malicious file. Unlike phishing emails, spear phishing is specially crafted for an individual, making it more likely that the individual will be tricked into thinking it’s legitimate.
If I’m an attacker targeting your organization, I will start by finding individuals that work there. A quick LinkedIn or Facebook should give me a long list of names that I can then query various social media platforms to find profiles. From there, I’d be looking at information from their profiles that I can use to exploit a weakness.
By visiting Monica’s Facebook page, I can see her likes, in some cases her location – and what activities she’s a part of the outside of work. Based on her preferences and posts, I can see that she’s an active member of her local church.
Spear phishing means that I have researched Monica, which led me to know what church she goes to – and now I can craft an email that looks like it’s coming from a member of her church. The likelihood that Monica will click on a link from – what she perceives is a member of her church – is much more likely. And this is what makes Spear phishing so effective. An effective spear-phishing campaign will not just grab personal information but also use FQDN’s that look similar and even create fake email addresses from her fellow church members. All this raises the likelihood that Monica opens that link.
Once Monica has clicked on the link – the damage is done, and the possibilities are endless. From here, it wouldn’t be hard to grab credentials I can then use for her work email. Chances are Monica uses the same or some variation of a similar password for her company email. Or worst, use her work laptop for visiting the fake church link or use her computer to sign into work resources. This is a common example of the three techniques used by APT 33 and 39 to gain initial access to your network. And since we know we’re being targeted by groups that specialize in this particular category, we should be putting a bigger emphasis on protecting against spear-phishing attacks.
This could include user awareness training, blocking social media sites from corporate systems, restricting user account logins to reputable geo-IP places, strong password policy implementation, and MFA for all user accounts.
And if you’re serious about proactive protection from Hacktivist groups like these, there are services available to monitor criminal underground communities for vulnerabilities targeting your organization.
If you have a SIEM, you can take the ATT&CK framework to the next level by setting up alerts set up for these specific TTPs. As usual, you should always have a plan in place for various portions of ATT&CK that should highlight what your organization should do if something is detected.