sales@siconsult.com

Phone: +44 (0)20 332 70699

Visit Si Engineering

SiConsult Location SiConsult Location SiConsult Location

The Latest Cyber
Intelligence
from Si

Following the US Drone strike on the 2nd Jan, 2020, which targeted and killed General Qasem Soleimani, commander of the Iranian Revolutionary Guards' Quds force, Iran has responded with rhetoric promising retaliation. It is our opinion that we can expect this response to comprise Cyber-attack against US interests and its allies. We have particular concern for industries that are involved in critical supply chains, telecommunications, government and utilities.

What are the Likely Attack Methods?

  1. From previous experience with Iranian Threat actor groups (APT 39 Oilrig/APT34, Elfin/APT34) we expect targeted Spear Phishing, or a mass Phishing campaign, to be a significant attack method. We recommend that you use this topical event as an opportunity to reinforce the user vigilance and enhance security awareness. Configure your email server to block or remove emails that contain URL links and file attachments that are commonly used to spread threats (.vbs, .bat, .exe, .pif and .scr).
  2. Oilrig/APT34 are known to have exploited low-cost or free VPN providers and gaining access to accounts that are subsequently used to gain a foothold (reference recent attacks against the energy sector in the Middle East). As such, we recommend that third party VPN services are explicitly blocked by proxy/URL filters, and any associated browser plugins on user machines are removed.
  3. We expect accounts which may already have been breached historically to be utilized in any targeted attack. So, an elevated level of monitoring of abnormal account activity, privilege escalation and lateral movement is required. At the same time, this may be a good time to review password refresh policies and multifactor authentication.
  4. We recommend that you review third party provider access controls, particularly those providers who are known to service the targeted industries. Third party compromise is a proven method of intrusion, and in some cases easier to execute and an effective backdoor.

What is the Likely Objective?

From recent reports we can expect that the objective of an Iranian attack to be destruction and disruption, rather than information stealing (don’t rule out the former) and we have seen reports of “ZeroCleare” disk-wiping virus being used by Iranian Threat actor groups. When executed, it will try to overwrite the Master Boot Record (MBR) and disk partitions on Windows-based machines.

Recommendations

  • The usual best practice recommendations apply here, such as patching to latest version, ensure antivirus is updated, disable auto play and make sure that programs and users of the computer use the lowest level of privileges necessary to complete a task.
  • Train employees not to open attachments from untrusted sources. Use this as an opportunity to reinforce use security awareness for phishing.
  • Restrict third party access to limited hosts and services and monitor for suspicious activities for supply chain attacks.
  • Review third party VPN policies to stop user deployed free or low-cost services.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.

All News

Register and stay up to date with Si’s Cyber Intelligence

Interested in our services?

Do you have a question or need more information?

We would like to hear from you! Please complete the form below and a representative from Si will follow up with you as soon as possible.

Close

Al Barsha Business Point, Office 501, Al Barsha One, P.O. Box 283996, Dubai, UAE

CALL OFFICE EMAIL OFFICE
Close

Greenwich View Pl, Canary Wharf, London E14 9NN

CALL OFFICE EMAIL OFFICE
Close

Supreme Headquarters Building, Office 807-810, Survey No. 36, Pune-Bangalore Highway, Baner, Pune 411045, India

CALL OFFICE EMAIL OFFICE
Close

Office 808, Tower II, The Gate Mall, West Bay, Doha, Qatar, PO Box 14023

CALL OFFICE EMAIL OFFICE

Thank you for your enquiry. We will be in touch shortly.

Thank you for signing up to Si news.

Thank you for your download request. We will email it shortly.

Thank you for your partner registration application. We will be in touch shortly.

Thank you for your enquiry. We will be in touch shortly.

Thank you for your download request. We will email it shortly.

Thank you – your request has been submitted and you will be contacted within 24 hours.

Thank you – your request has been submitted and you will be contacted within 24 hours.

Thank you – your interest in this event has been submitted and you will be contacted within 24 hours.