At the end of last year, we covered the Iranian hacker group, APT33, and warned it was scouting U.S. targets for attack.
However, since then, a top Iran general was killed during a recent U.S. military strike in Iraq. In response, Iran threatened retaliation. Thus, the FBI issued an alert that U.S. organizations need to be ready for cyber attacks.
The FBI notes that Iran tends to use cyberattacks to retaliate for its relative lack of conventional military capabilities. Also, Iranian threat actors have become increasingly effective and sophisticated.
Naturally, we should expect the Iranian attackers to focus on U.S. government and military resources, including state governments, utilities and infrastructure.
However, we should also be aware of the potential for collateral damage. Maersk was not the target of the NotPetya attack that cost the company hundreds of millions of dollars. It was simply high-profile collateral damage.
Additionally, and unmentioned in the FBI alert, to those organizations relying upon cybersecurity insurance, consider that the attacker is the government of Iran pursuing cyber warfare.
This likely will be considered warfare from a nation-state, and trigger the clause in most cybersecurity policies that excludes damages due to war, terrorism, or acts of God. In all probability, any damages from these attacks will be borne fully by the victim organization.
Iran: What to Expect, What to Do
The alert details a series of attacks since 2011.
It warned to expect a variety of attacks, from the inconvenience of a DDoS attacks or website defacement, to more destructive data-wiping malware.
One web defacement attack already hit the Federal Depository Library Program. However, assurances have been made that no data was compromised.
The FBI recommends taking the following steps to mitigate attacks:
- Disable all unnecessary ports and protocols
- Enhance monitoring of network and email traffic
- Patch externally facing equipment
- Log and Limit usage of PowerShell
- Ensure backups are up to date
Of course, these are the same basic foundational steps for security that any seasoned CISO will prioritize. Naturally, it isn’t quite that simple to execute.
Even after taking these steps, it’s strongly recommended that IT departments heavily monitor their systems.
Network security device logs should be reviewed to determine whether or not there are unnecessary ports and protocols that can be shut down. Common ports and protocols should also be reviewed for command and control activity. Also, emails should be monitored for new phishing attacks, and logs for PowerShell commands should be reviewed.
While these recommendations are also typical, they’re not all necessarily followed. Unfortunately, many IT departments struggle just to keep up with the current emergencies.
Teams are all-too-often pressed for time. Log reviews often become burdensome, thus they’re left to be completed by automated tools. And, a plethora of false positives leaves many alerts unread in inboxes.
Naturally, as an IT vendor, the team at Ideal Integrations understands these issues well. We not only set up IT systems, we also offer network and cybersecurity monitoring services.
We can also work with you to explore software and configuration options to make the processes more efficient for your team. We’ll work with your budget and internal resources to focus on just a portion of your current needs.
Don’t let your most urgent vulnerabilities remain unprotected as Iran gears up to attack.
If you’re monitoring your own systems, the FBI alert reminds us of the common attacks and techniques used by the known Iran threat actors. In the summary below, we’ll recap the types of expected attacks and basic methods for detection and mitigation.
How will the adversary typically gain access to the systems? The common methods are Credential Dumping, Spearphishing Links and Spearphishing Attachments.
The Spearphishing attacks are delivered via emails. Thus, the FBI recommends user training, inspection and blocking as the main mitigation techniques.
Inspection uses anti-virus software, network intrusion prevention systems, and email scanning (for URLs and attachments) to detect the malware prior to execution.
To prevent incidents missed by scanning, it is recommended to block websites and attachment file types that are unknown or not needed for business use. This may require a delicate balance for the IT team, as they weigh the risks of not-blocking versus user inconvenience.
Beyond these email methods, also take a hard look at remote access. While not directly attributed to Iran’s government, the SamSam malware attacks (on Atlanta, etc.) were attributed to Iran citizens, and have also been known to exploit VPN and RDP vulnerabilities.
Once inside the network, credential dumping comes into play as the attackers will try to pull credentials out of the memory on their victims’ devices. To counter this attack, the FBI recommends that you monitor the processes interacting with Isass.exe on Windows systems.
For Linux systems, monitor processes interacting with the maps file in the proc file system and alerting on the pid. Unexpected processes can indicate an attack in progress.
To mitigate against credential dumping attacks, the FBI recommends limiting credential overlap, disabling NTLM (NT LAN Manager) and managing access control lists to limit permissions for both “replicating directory changes” and domain controller replication.
While the FBI only suggests using complex, unique passwords, we recommend also using two-factor authentication whenever possible.
As an added layer of caution, ‘detonation chambers,’ or sandboxes, can be used to open attachments or click on links to see how the files will behave. Just keep in mind that some malware has been built to detect a sandbox environment and conceal it’s true nature.
During the malware attack, perpetrators will try to conceal their activities using defensive evasion techniques such as obfuscated files or information and/or scripting.
Scripting uses a file to execute multiple commands in a process much faster than through manual execution. Many scripts rely upon a victim to accidentally execute the file or a macro embedded in a file.
However, attackers can also load and execute scripts after they have entry into the network.
To prevent scripts from executing, enable “Protected View” for Office security settings, block macros through “Group Policy,” and restrict access to scripting engines (EX: VB Script) and scriptable frameworks (EX: PowerShell, see more below).
After protections are in place, it will become easier to monitor processes and detect users attempting to run scripts or give themselves permissions to run scripts. Another detection method is to watch for execution of Office programs (such as WinWord.exe) that spawn command line (cmd.exe) or script applications (ex: wscript.exe).
Naturally, adversaries know that anti-virus and IT monitoring are trying to detect their malicious activities, so they use obfuscation to hide the true nature of files and information. For example, the malware files may be compressed or encrypted to avoid detection. Alternatively, the malware may be separated to avoid detection only to be put together through user action or scripting.
The FBI recommends using Antimalware Scan Interface within Windows 10 to mitigate obfuscated files, and to watch for the same process indicators already monitored for credential dumping (see above).
No matter how the malicious payload is delivered, the malware requires execution to work.
The main methods of execution are Scripting (covered above), PowerShell, and User Execution.
Powershell is a common command-line interface within Windows used to execute scripts. In some environments, Powershell can be removed, but for environments where Powershell is required, the use can be restricted to specific users and to execute only signed scripts.
To detect unauthorized Powershell usage, turn on Powershell logging and monitor loading and execution of assemblies specific to PowerShell, such as System.Management.Automation.dll.
Often, a user will be tricked into executing malware through phishing attacks. However, once on a network, malicious actors can place files in common directories in hopes that they can trick a user with higher permissions (i.e. admin rights) into executing the file.
As with phishing, the FBI recommends user training, link monitoring and file type restrictions to mitigate this type of attack. Application whitelisting can add additional protection, but the IT department will need a full list of potential applications to avoid a long help-desk queue.
Detecting a user’s execution of a malware file requires the same methods used to detect phishing and script execution.
Once in the system, an attacker will attempt to move laterally.
In order to achieve that, that attack may involve: using Remote File Copy; finding ways to persist on the system using Registry Run Keys/Startup Folder attacks; and exfiltrating data using a combination of Remote File Copy and Data Compression.
Most of these attacks cannot be easily mitigated since they use features inherent to the operating system. However, Remote File Copy and Data Compression can be monitored by looking for unusual data transfer of FTP, using data loss prevention tools, or using network intrusion prevention tools.
Remote File Copy can be detected by analyzing packet contents for unexpected protocol behavior for used ports, uncommon data flows, unusual utility use (i.e. a surge in FTP usage), and files created and transferred within the network over SMB.
Data Compression can be detected by monitoring processes and command-line arguments for known compression utilities (7zip, rar, etc.).
Registry Run Keys/Startup Folder attacks, while not easily mitigated, are found by monitoring registry changes and “start folder” changes that do not correlate with known software or patch cycles. Some tools, such as Sysinternals Autoruns, can also be used to discover system changes.
Monitoring all of the potential attack methods and systems can put quite a burden on your IT team, but in our modern age of cyber warfare, we must be vigilant.
If your team needs assistance, contact us by calling 412-349-6680, or by completing the form below.