Following the US Drone strike on the 2nd Jan, 2020, which targeted and killed General Qasem Soleimani, commander of the Iranian Revolutionary Guards' Quds force, Iran has responded with rhetoric promising retaliation. It is our opinion that we can expect this response to comprise Cyber-attack against US interests and its allies. We have particular concern for industries that are involved in critical supply chains, telecommunications, government and utilities.
What are the Likely Attack Methods?
- From previous experience with Iranian Threat actor groups (APT 39 Oilrig/APT34, Elfin/APT34) we expect targeted Spear Phishing, or a mass Phishing campaign, to be a significant attack method. We recommend that you use this topical event as an opportunity to reinforce the user vigilance and enhance security awareness. Configure your email server to block or remove emails that contain URL links and file attachments that are commonly used to spread threats (.vbs, .bat, .exe, .pif and .scr).
- Oilrig/APT34 are known to have exploited low-cost or free VPN providers and gaining access to accounts that are subsequently used to gain a foothold (reference recent attacks against the energy sector in the Middle East). As such, we recommend that third party VPN services are explicitly blocked by proxy/URL filters, and any associated browser plugins on user machines are removed.
- We expect accounts which may already have been breached historically to be utilized in any targeted attack. So, an elevated level of monitoring of abnormal account activity, privilege escalation and lateral movement is required. At the same time, this may be a good time to review password refresh policies and multifactor authentication.
- We recommend that you review third party provider access controls, particularly those providers who are known to service the targeted industries. Third party compromise is a proven method of intrusion, and in some cases easier to execute and an effective backdoor.
What is the Likely Objective?
From recent reports we can expect that the objective of an Iranian attack to be destruction and disruption, rather than information stealing (don’t rule out the former) and we have seen reports of “ZeroCleare” disk-wiping virus being used by Iranian Threat actor groups. When executed, it will try to overwrite the Master Boot Record (MBR) and disk partitions on Windows-based machines.
- The usual best practice recommendations apply here, such as patching to latest version, ensure antivirus is updated, disable auto play and make sure that programs and users of the computer use the lowest level of privileges necessary to complete a task.
- Train employees not to open attachments from untrusted sources. Use this as an opportunity to reinforce use security awareness for phishing.
- Restrict third party access to limited hosts and services and monitor for suspicious activities for supply chain attacks.
- Review third party VPN policies to stop user deployed free or low-cost services.
- Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.