Threat Intelligence

Threat Research Team Communication Concerning Potential Heightened Activity from Iran

On January 3, 2020, U.S. military assets conducted a kinetic strike in Iraq targeting and killing Iranian Maj. Gen. Qasem Soleimani, leader of the Islamic Revolutionary Guard Corps (IRGC) Quds Force. The U.S. claims this attack was in response to the potential planning and conducting of operations against U.S. assets and interests. Since the success of the kinetic strike, U.S. government and commercial organizations have heightened their vigilance against both cyber and physical attacks that could originate from Iranian state-sponsored or proxy organizations.

SHARE:

Key Judgments:

  • It is highly likely that Iranian state-sponsored or proxy organizations will conduct both kinetic and cyber-attacks against U.S. interests in response to the airstrike that killed IRGC QF commander Soleimani
  • Iranian and Iranian-proxy cyber efforts may focus attacks on organizations and infrastructure that are in, or of value to, the US and in the Middle East, notably Saudi Arabia
  • Federal organizations, to include DoD, DoE and DoS; as well as commercial organizations in Healthcare, Financial Services, Oil and Gas, and telecommunications within the U.S. should update their threat models to include known Iranian state-sponsored Tactics, Techniques and Procedures.
  • Transit and Oil and Gas in the Middle East and the Kingdom of Saudi Arabia should be on heightened alert against Iranian or Iranian-proxy exploitation attempts.

Current TRT Activity

  • Updating and Monitoring of Priority Intelligence Requirements (PIRs) to focus on potential Iranian or proxy activity
  • Ensuring all known attributed Indicators of Compromise (IOCs) are up to date for Fidelis Insight Policy threat feeds
  • Review of current Countermeasures related to Iranian activity/groups
  • Maintaining observation against traffic originating from Iranian owned IP space or known used infrastructure

Historical Attributed Activity to Iran
Iran’s cyber activity can be seen a sort of long game. Iran typically spends a large amount of effort and time on open-source intelligence gathering during the reconnaissance phase, as well as pre-engagement social engineering and persistence operations to increase the likelihood of success.

Iranian actors have historically been known to compromise a user’s email account and identify potential means of access from already existing emails in a user’s inbox, such as reviving old threads to exploit the trust of a user’s contacts within an organization and using that trust to increase the likelihood of infection.

Analyst comment: It is assessed that APT34 is the unit that handles social engineering, persistence, and reconnaissance.

Iranian threat actor groups are known to have extensive social media operations, using platforms such as Facebook, LinkedIn, and possibly other social media sites to profile potential victims and establish relationships with high value targets. The actors often use exposed public information to carefully craft social engineering, spear phishing, and phishing campaigns against their targets. Of note, there has been an overlap in malware infrastructure, where malware from Hidden Cobra (MITRE G0032) and sometimes India will be using Iranian IPs. This could be for potential misattribution of other nation-state sponsored adversaries.

Historically targeted sectors

  • Financial Services
  • Gov/Defense/Aerospace
  • Energy / Oil / Gas
  • Telecommunications
  • Chemical
  • Travel and Transportation
  • Academic / Education
  • Human Rights activist(s)
  • Media

Historically targeted countries

  • USA
  • KSA
  • UAE
  • Kuwait
  • South Korea
  • Turkey
  • EU/UK
  • Israel
  • Jordan
  • Germany

Attributed Iranian State-Sponsored or Proxy Adversaries

  • APT33 (aka: Elfin, MITRE G0064)
  • APT39 (aka: Chafer, MITRE G0087)
  • APT34 (aka: OilRig, Helix Kitten, MITRE G0049)
  • APT35 (aka: Rocket Kitten, Magic Hound, Newscaster, Woolen-Goldfish, MITRE G0059)
  • Charming Kitten (aka: G0058)
  • Cleaver (aka: Threat Group 2889, TG-2889, MITRE G0003)
  • Copy Kittens (MITRE G0052)
  • Group5 (MITRE G0043)
  • Leafminer (aka: Raspite, MITRE G0077)
  • MuddyWater (aka: Seedworm, TEMP.Zagros, G0069)

The below charts are visual representations of the risk that a few of the above-mentioned adversary groups present. The risk score is a calculated figure, between 0 – 100, derived from the values of six (6) attributes that take into account observable patterns and behaviors of the adversary. The risk matrix is based off qualitative, analytical-based attributes that are supported by the adversary’s motivations, influences, and capabilities, and this serves to provide analysts and decision makers with a reference for the potential risk and adversary may pose to their organization.

Figure 1: Fidelis TRT Adversary Risk Matrix, APT35


Figure 2: Fidelis TRT Adversary Risk Matrix, APT34


Figure 3: Fidelis TRT Adversary Risk Matrix, APT33

Additionally, Iran has proxies throughout the Middle East that have acted at its direction. These threats can originate from Syria, Lebanon, and Yemen. Additionally, Iran maintains relations with Russia, China, and potentially Venezuela.

Relevant Threats and Vulnerabilities
Fidelis TRT assesses the following vulnerabilities and risks will continue to pose relevant threats to organizations across multiple industries. These vulnerabilities and threats can be, and have been leveraged, by multiple Adversaries, including but not limited to Iranian-linked groups.

Vulnerabilities in VPN Providers and Services
Iranian threat groups have previously been reported to exploit vulnerabilities in VPN services to gain initial access and foothold into targeted systems. The following vulnerabilities have recently been observed to be exploited in the wild in various campaigns, and can potentially be leveraged by Iranian groups (TRT advises that regardless of Iranian exploitation and adoption, these product vulnerabilities should be addressed by security teams):

CVE-2019-11510 (Pulse Secure)
CVE-2019-1579 (Palo Alto GlobalProtect)
CVE-2018-13379 (Fortinet FortiGate)

The best course of action to defend against these vulnerabilities is to ensure these products and devices are patched with latest updates provided by the vendor.

Content Management System Pages and Add-Ons
Vulnerabilities in Content Management Systems (CMS) pages like Drupal, WordPress, and Joomla are commonly abused by Adversaries of both low and well-resourced capabilities. Exploitation of CMS and plug-in vulnerabilities may allow Adversaries to read, modify, create, or delete files and execute malicious code. Examples of severe CMS vulnerabilities known to be leveraged in previous attacks by Adversaries in general include Drupalgeddon (CVE-2014-3704), Drupalgeddon 2 (CVE-2018-7600), and Drupalgeddon 3 (CVE-2018-7602).

Adversaries, including those tied to Iran, have also demonstrated intent to target vulnerabilities in Microsoft Sharepoint, the most recent critical vulnerability being CVE-2019-0604. Patches have already been released for this vulnerability as well.

On 4 January 2019, multiple websites were defaced with anti-American, pro-Iranian images and messages, although the involvement of state-sponsored groups is unconfirmed and unlikely. Analysis of the defaced website of the US Federal Depository Library Program (fdlp.gov) yielded that the site was running old, vulnerable Joomla plug-ins, which may have been used as one of the initial attack vectors.

Assessment
Most Likely Course of Action
In the short term, it is very likely that scanning and exploitation against older vulnerabilities in popular software will continue both by domestic hacktivists and regime sympathizers, as well as state-sponsored groups attempting to probe for easily exploitable weaknesses. This will result in site defacement, denial of service, and exfiltration or leakage of sensitive information. Many of these attempts may also be carried out via phishing and social engineering, a staple of Iranian techniques.

Iranian and Iranian-proxy cyber efforts will likely focus attacks on organizations and infrastructure that are in, or of value to, the US and in the Middle East, notably Saudi Arabia; however, as stated, well-documented high and critical vulnerabilities in widely used software and services will be leveraged for initial access and compromise using open-source tools.

Most Dangerous Course of Action
Iran has demonstrated its capabilities to carry our cyber-attacks that result in significant disruption and destruction of assets, resources, and services, and recent events may trigger such action in the future. High-value targets include organizations and companies in the energy (nuclear, oil/gas exploration and refinement), government (local, state, and federal services, civil servants, elected officials), aerospace/defense, financial (banks, stock exchange), telecommunications, and utilities (water/electrical power providers and customers/consumers, SCADA systems, other critical infrastructure) industries.

Additionally, Iran’s investment in cyber warfare and long-term scale of operations may have allowed it to quietly establish a foothold in targeted systems with malware that have yet to be weaponized. This leaves open the possibility of previously unknown strains of malware or undisclosed and unknown vulnerabilities (0-days) that have not been analyzed for detection or prevention purposes that can be activated or executed. The gap in awareness of these threats may leave targets open to full compromise, whether it be data and system content exfiltration or destruction.

As stated by cybersecurity researchers specializing in Iranian activity, “We will be hit by something we didn’t even think about. The Iranians are very smart, patient, and strategic; they have been learning, practicing, and executing the art of shadow battle for decades, using asymmetric methods and attacking from a place or time we do not expect, and have not foreseen.”

Confidence and Probability Statements
Fidelis TRT assesses with high confidence that older vulnerabilities in popular software will continue to be exploited and leveraged in attacks for the foreseeable future. TRT continues to observe (from both internal telemetry and external reporting) exploitation attempts by Adversaries leveraging older vulnerabilities in highly popular software and services including Apache (Struts, Solr, etc.), Oracle WebLogic, Adobe Flash, Microsoft Internet Explorer, Microsoft Office, and CMS pages and plug-ins (as described previously). Fidelis TRT prioritizes these threats, as the risk of exploitation or compromise through such vulnerabilities in popular software is most relevant, compared to focusing on specific tactics of only a handful of groups. These “low hanging fruit” opportunities provide a means to deliver additional malware and are of high interest to Adversaries, including Iranian groups, and will continue to be of primary concern.

Phishing and social engineering attempts have been a staple of previously reported Iranian nation-state cyber-attacks. As always, we emphasize the importance of operational security hygiene and vigilance when it comes to email attachments and suspicious links. This precaution extends to protecting against most Adversaries. While the most extreme and dangerous scenario, destructive malware deployed against critical infrastructure, has been propagated over the last few days, this remains an intelligence gap as there is little detail available to determine the probability of this and make any sound recommendations or counteractions at this time. The timing, targets, artifacts, tools, and techniques used to carry out any catastrophic attack is currently unknown, and it is prudent to continue to focus on current and relevant threats while maintaining vigilance of peripheral risks.

Appendix
Confidence is a judgment based on three factors:

  1. Strength of knowledge base, to include the quality of the sources and our depth of understanding about the issue
  2. Number and importance of assumptions used to fill information gaps
  3. Strength of logic underpinning the argument, which encompasses the number and strength of analytic inferences as well as the rigor of the analytic methodology in the product

HIGH: Well-corroborated information from proven sources, minimal assumptions, and/or strong logical inferences
MODERATE: Partially corroborated information from good sources, several assumptions, and/or mixture of strong and weak inferences
LOW: Uncorroborated information from good or marginal sources, many assumptions, and/or mostly weak inferences

References
https://medium.com/@sshell_/brief-analysis-of-the-fdlp-gov-deface-980caba9c786
https://www.cyber.nj.gov/alerts-and-advisories/20191015/apt-actors-actively-exploitingpopular-vpn-applications
https://cybershafarat.com/2020/01/04/jellyteeth/
cyber.gc.ca/fr/avis/maliciel-china-chopper-affectant-les-serveurs-sharepoint
https://www.zdnet.com/article/vpn-warning-revil-ransomware-targets-unpatched-pulsesecure-vpn-servers/

Browse our blog