As we are all connected with Systems and Platforms to the world , we have to
appreciate the tools being used are not all specific and our data can be affected,
please see below the latest Cyber Alert and ensure you take the necessary precautions
to safeguard Data as we in the Caribbean are NOT immune to these worldwide
cyber threats.
Summary
The Cybersecurity and Infrastructure Security Agency (CISA) is sharing the
following information with the cybersecurity community as a primer for
assisting in the protection of our Nation’s critical infrastructure in light of
the current tensions between the Islamic Republic of Iran and the United States
and Iran’s historic use of cyber offensive activities to retaliate against
perceived harm. Foremost, CISA recommends organizations take the following
actions:
- Adopt a state of heightened awareness. This includes
minimizing coverage gaps in personnel availability, more consistently
consuming relevant threat intelligence, and making sure emergency call
trees are up to date. - Increase organizational vigilance. Ensure
security personnel are monitoring key internal security capabilities and
that they know how to identify anomalous behavior. Flag any known Iranian
indicators of compromise and tactics, techniques, and procedures (TTPs)
for immediate response. - Confirm reporting processes. Ensure
personnel know how and when to report an incident. - Exercise organizational incident response plans. Ensure
personnel are familiar with the key steps they need to take during an
incident. Do they have the accesses they need? Do they know the processes?
Are your various data sources logging as expected? Ensure personnel are
positioned to act in a calm and unified manner.
Technical Details
Iranian Cyber Threat Profile
Iran has a history of leveraging asymmetric tactics to pursue national
interests beyond its conventional capabilities. More recently, its use of
offensive cyber operations is an extension of that doctrine. Iran has exercised
its increasingly sophisticated capabilities to suppress both social and
political perspectives deemed dangerous to Iran and to harm regional and
international opponents.
Iranian cyber threat actors have continuously improved their offensive
cyber capabilities. They continue to engage in more “conventional” activities
ranging from website defacement, distributed denial of service (DDoS) attacks,
and theft of personally identifiable information (PII), but they have also
demonstrated a willingness to push the boundaries of their activities, which
include destructive wiper malware and, potentially, cyber-enabled kinetic
attacks.
The U.S. intelligence community and various private sector threat
intelligence organizations have identified the Islamic Revolutionary Guard
Corps (IRGC) as a driving force behind Iranian state-sponsored
cyberattacks–either through contractors in the Iranian private sector or by the
IRGC itself.
Iranian Cyber Activity
According to open-source information, offensive cyber operations targeting
a variety of industries and organizations—including financial services, energy,
government facilities, chemical, healthcare, critical manufacturing,
communications, and the defense industrial base—have been attributed, or
allegedly attributed, to the Iranian government. The same reporting has
associated Iranian actors with a range of high-profile attacks, including the
following:
- Late 2011 to Mid-2013 – DDoS Targeting U.S.
Financial Sector: In response to this activity, in March 2016, the
U.S. Department of Justice indicted seven Iranian actors employed by
companies performing work on behalf of the IRGC for conducting DDoS
attacks primarily targeting the public-facing websites of U.S. banks. The
attacks prevented customers from accessing their accounts and cost the
banks millions of dollars in remediation. - August/September 2013 – Unauthorized Access to Dam
in New York State: In response, in March 2016, the U.S. Department of
Justice indicted one Iranian actor employed by a company performing work
on behalf of the IRGC for illegally accessing the supervisory control and
data acquisition (SCADA) systems of the Bowman Dam in Rye, New York. The
access allowed the actor to obtain information regarding the status and
operation of the dam. - February 2014 – Sands Las Vegas Corporation Hacked: Cyber
threat actors hacked into the Sands Las Vegas Corporation in Las Vegas,
Nevada, and stole customer data, including credit card data, Social
Security Numbers, and driver’s license numbers. According to a Bloomberg
article from December 2014, the attack also involved a destructive
portion, in which the Sands Las Vegas Corporation’s computer systems were
wiped. In September 2015, the U.S. Director of National Intelligence
identified the Iranian government as the perpetrator of the attack in a
Statement for the Record to the House Permanent Select Committee on
Intelligence. - 2013 to 2017 – Cyber Theft Campaign on Behalf of
IRGC: In response, in March 2018, the U.S. Justice
Department indicted nine Iranian actors associated with the Mabna
Institute for conducting a massive cyber theft campaign containing dozens
of individual incidents, including “many on behalf of the IRGC.” The
thefts targeted academic and intellectual property data as well as email
account credentials. According to the indictment, the campaign targeted
“144 U.S. universities, 176 universities across 21 foreign countries, 47
domestic and foreign private sector companies, the U.S. Department of
Labor, the Federal Energy Regulatory Commission, the State of Hawaii, the
State of Indiana, the United Nations, and the United Nations Children’s
Fund.”
Mitigations
Recommended Actions
The following is a composite of actionable technical recommendations for IT
professionals and providers to reduce their overall vulnerability. These
recommendations are not exhaustive; rather they focus on the actions that will
likely have the highest return on investment. In general, CISA recommends two
courses of action in the face of potential threat from Iranian actors: 1)
vulnerability mitigation and 2) incident preparation.
- Disable all unnecessary ports and protocols. Review
network security device logs and determine whether to shut off unnecessary
ports and protocols. Monitor common ports and protocols for command and
control activity. - Enhance monitoring of network and email traffic. Review
network signatures and indicators for focused operations activities,
monitor for new phishing themes and adjust email rules accordingly, and
follow best practices of restricting attachments via email or other
mechanisms. - Patch externally facing equipment. Focus on
patching critical and high vulnerabilities that allow for remote code
execution or denial of service on externally facing equipment. - Log and limit usage of PowerShell. Limit the
usage of PowerShell to only users and accounts that need it, enable code
signing of PowerShell scripts, and enable logging of all PowerShell
commands. - Ensure backups are up to date and
stored in an easily retrievable location that is air-gapped from the
organizational network.
Patterns of Publicly Known Iranian Advanced Persistent
Threats
The following mitigations and detection recommendations regarding publicly
known Iranian advanced persistent threat (APT) techniques are based on
the MITRE ATT&CK Framework.
Iranian APT Techniques
Credential Dumping
Obfuscated Files or Information
Data Compressed
PowerShell
User Execution
Scripting
Registry Run
Keys/Startup Folder
Remote File Copy
Spearphishing
More Information – Mitigation
and Detection Techniques :
https://www.us-cert.gov/ncas/alerts/aa20-006a
Contact us at anytime : www.cttl.net
| transform@cttl.net | 1-868-332-2885
(CTTL)
