On the 3rd of January 2020, the Iranian Major General Qasem Soleimani was killed in a US drone strike ordered by President Donald Trump at Baghdad International Airport. Since then, popular demonstrations and military responses have been seen coming from Iran. It’s important to remember, however, that wars and military actions have potential to also be carried out in cyberspace nowadays, though sometimes such responses are not easy to spot. False flags and strong anonymity measures can be used to make attribution of cyberattacks more and more difficult.
There are several advanced threat actor groups potentially tied to the Iranian government which have been performing operations in the past few years, like APT33, OilRig / APT34, APT39, Leafminer and MuddyWater, among others. We track their activities thanks to our Threat Context module:
OilRig / APT34 Threat Context actor profile
- T1193 – Spearphishing Attachment: Spearphishing is one of the most popular techniques used to gain Initial Access by advanced actors. In this case, groups like APT39, DarkHydrus and OilRig / APT34 have used the technique, using social engineering and attaching mostly Office and PDF documents to their malicious emails. This technique is usually tied to T1204 – User Execution, because the victim is needed to open the malicious document. Some groups tied to Iran have also made use of T1189 – Drive-by Compromise, which does not need any action from the user other than visiting a specific website.
- Automatic e-mail analysis to detect and stop malicious attachments
- Threat Intelligence services and feeds to support detection activities
- Employee education and awareness
- T1086 – PowerShell: This is another technique widely used by various kinds of cybercriminals and malware nowadays. PowerShell is present by default in modern Windows installations, so attackers make use of it to perform specific actions like downloading and installing malware or changing system configurations. Actors like CopyKittens use PowerShell Empire, which permits full control of the infected machines in an easy way.
- Consider uninstalling PowerShell from systems if possible
- Implement proper security policies to avoid certain PowerShell actions
- T1078 – Valid Accounts: As we detail in our report about The Credential Theft Ecosystem, a single compromised valid account can be the door that leads to the full compromise of an organization. Threat actors tied to Iran such as APT33, APT39 or OilRig/APT34 have used valid accounts for Initial Access, Privilege Escalation and Lateral Movement.
- Good password policies that force frequent password changes and disallow password reuse could be a way to mitigate this risk
- Threat Intelligence services to detect credentials leaks/theft and support the detection of malware infections which could steal credentials
- Employee education and awareness
- T1003 – Credential Dumping: Once threat actors have access to compromised systems, a common behavior is to try to get all the credentials they can from the machines in order to move laterally or access the systems easily. Attackers originating from Iran have used tools like mimikatz or ProcDump to accomplish this task.
- The detection of tools used to perform this technique could help to avoid the dumping of credentials
- Minimize the number of credentials stored in plain text (or easy to decrypt/decode formats) in RAM, registry or the file system.
- T1105 – Remote File Copy: This is probably one of the techniques most widely used in advanced attacker intrusions. It is quite common to see threat actors copying tools and additional malware from their controlled servers onto the victims’ systems in order to support lateral movement. Iranian attackers are no exception, and they also use this technique in their activities.
- Network traffic analysis to detect anomalies in the incoming and outgoing traffic.
- Threat Intelligence services and feeds to support the detection of network activity against those malicious servers.
ATT&CK TTPs used by Threat Actors potentially tied to Iran. The darker the color red, the more actors use that technique.
This post was authored by the Blueliv Labs team
The post TOP 5 ATT&CK techniques used by Threat Actors tied to Iran appeared first on Blueliv.
*** This is a Security Bloggers Network syndicated blog from Blueliv authored by Blueliv Labs. Read the original post at: https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/threat-intelligence/top-5-attck-ttps-techniques-used-by-iran-threat-actors/