Blog Post

The Looming Threat of Asymmetric Cyber Warfare with Iran

As the threat of military escalation between Iran and the United States subsides, military and intelligence officials are seeing an increase in malicious cyber activity by pro-Iranian hackers targeting US interests. This is a classic example of asymmetric warfare given the disparity in military capabilities between the two countries.

Given our heavy reliance on the internet and digital infrastructure, this presents a lucrative and large target to any adversary, in fact, the attacks don’t even have to target government assets.

Arguably, enterprises, state and local governments, utilities, etc. all provide a large and oftentimes vulnerable attack surface. It is also perhaps worth pointing out that Iranian digital infrastructure does not provide anywhere close to the same kind of attack surface, again emphasizing the asymmetric nature of this battle.

As organizations think through their security strategy in light of this threat, it is important to understand the “MO” for the threat actors, the tactics, techniques, and procedures (TTPs) they use. Understanding these TTPs then allows for an assessment of the controls in place to protect against them. To help with this effort, we start with a listing of the threat groups known to be aligned with Iranian interests: APT33, APT34/OilRig, APT35/Magic Hound/Charming Kitten, CopyKittens, Group 5, Leafminer, Muddy Water and Threat Group 2889 / Cleaver.

In general, Awake has observed these groups launch destructive malware, website defacement, social account takeover, corporate account takeover, and disinformation and influence campaigns. We advise organizations to be especially cognizant of increased activity with fake social media accounts (LinkedIn, Facebook, etc.) used to compromise end-users. In addition to security hygiene, Awake specifically recommends all external-facing accounts have multi-factor authentication enabled and all critical data and systems have offline backups.

More specifically, we found the list of TTPs published by the Cybersecurity & Infrastructure Security Agency (CISA) helpful. We summarize these below along with references to definitions based on the MITRE ATT&CK Framework.

phonebillssuck-com

Credential Dumping

Credential dumping is the process of obtaining account login and password information, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.

Awake tackles credential dumping in a number of ways. Our models successfully identify users accessing sensitive shares and files on file servers, as well as actors employing tools used for credential dumping such as pwdump, Mimikatz, and several other popular tools. A great example of this was seen at one of our customers when an external actor was attempting to dump the credentials of an internal server exposed to the Internet by using one of these popular tools. Awake immediately identified this activity based on the behavior that was being exhibited.

Obfuscated Files or Information

Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is a common behavior that can be used across different platforms and the network to evade defenses.

Iranian APT groups have been known to obfuscate files and information with base64 encoding, which is trivial to decode. Awake identifies data that is obfuscated with techniques such as base64 encoding, regardless of whether it is moving North-South or East-West. This is also true for HTTP authorization attempts. Furthermore, our adversarial models identify when default credentials are in use.

Data Compressed

An adversary may compress data (e.g., sensitive documents) that have been collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. The compression is done separately from the exfiltration channel and is performed using a custom program, algorithm, or more commonly a compression library or utility.

Awake has several different adversarial models that will successfully identify exfiltration, even if the data is encoded or encrypted. A recent hunt in a customer network revealed that an adventurous employee decided to encode backups with a custom encoding, which was trivially detected by the Awake platform.

PowerShell

PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including the discovery of information and execution of code. PowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without accessing a disk.

Awake successfully identifies PowerShell usage across environments, whether it is used for lateral movement or silently pulling down malware from uncommon destinations. For instance, Awake has recently discovered a ransomware threat that attempted to use silent PowerShell commands to disable Microsoft’s User Account Control (UAC).

lateral-movement-powershell

User Execution

An adversary may rely upon specific actions by a user in order to gain execution. This may be direct code execution, such as when a user opens a malicious executable delivered via spearphishing attachment or spearphishing link. Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl. While User Execution frequently occurs shortly after Initial Access, it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user’s desktop hoping that a user will click on it.

Awake is well prepared to identify user execution as we can detect and respond to many different types of network traffic that results from a user clicking on an executable file(s). Awake will also track users as they copy files to destination devices, regardless of the method (i.e. SMB, PowerShell, FTP, etc.). A great example of these can be seen in the screenshots provided where Awake tracks executable files being copied to a remote device and then detonated on that remote device. Awake successfully identified this behavior and the resulting activities where the destination device was seen exfiltrating data to a known compromised location.

Scripting

Adversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and PowerShell but could also be in the form of command-line batch scripts.

Awake has multiple adversarial models to detect when scripts are run across the network, such as PowerShell, VBS, python, perl, etc. and even when they use APIs for common messaging and social media platforms. This allows us to watch actors as they communicate both laterally and externally using scripting languages. A recent automatic detection on Awake’s platform was an adversarial model that exposed a hidden command and control channel which was being used by third-party consultants. Awake was the only security solution to identify this behavior and the platform caught it due to the scripting nature of the communications.

Registry Run Keys / Startup Folder

Adding an entry to the “run keys” in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account’s associated permissions level. Adversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots.

Awake has several models designed to identify actors modifying the Windows Registry, and can easily track when users create tasks on remote devices through several different methods using protocols such as SMB. For example, Awake recently found an actor scheduling tasks on a remote device via SMB to automatically exfiltrate data out of the network at timed intervals when the actor presumed security personal would not be monitoring the network.

Remote File Copy

Files may be copied from one system to another to stage adversary tools or other files over the course of an operation. Files may be copied from an external adversary-controlled system through the command and control channel to bring tools into the victim network or through alternate protocols. Adversaries may also copy files laterally between internal victim systems to support lateral movement with remote execution using inherent file sharing protocols such as file sharing over SMB to connected network shares or with authenticated connections with Windows admin shares or Remote Desktop Protocol.

Awake will successfully identify remote file copy attempts, regardless of the protocol. Our models identify this behavior whether it is done via File Transfer Protocol (FTP), Server Message Block (SMB), Remote Desktop Protocol (RDP), PowerShell, etc. An example can be seen below in the screenshots where one user copied a malicious executable file via SMB that, once executed, began attempting to exfiltrate data to a known malicious endpoint outside of the network.

Spearphishing Link / Attachment

Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in an email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments.

The visited website may compromise the web browser using an exploit, or the user will be prompted to download applications, documents, zip files, or even executables depending on the pretext for the email in the first place. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon user execution to gain execution.

Awake can successfully identify spearphishing attempts at multiple levels – from typosquatting popular domains, partners and service providers for business email compromise and to spot suspicious and malicious requests originating from Microsoft Office programs. Awake has successfully identified several spearphishing campaigns in multiple environments, with some emails containing. HTA files, which is a file extension for an HTML executable file format. These tactics are common for Iranian hacker groups.

It is important to note that much of the guidance above is applicable across multiple threat actors, beyond those associated with Iran. As is the case often with these kinds of attacks, the anonymity of the Internet certainly does not help with strong attribution. Moreover, the Iranian threat actors have been known to use a number of proxies (the Syrian Electronic Army, Hezbollah, and Hamas among others) to launch attacks. Organizations should also be watchful for false flag operations perpetrated by any of the other nation-states but designed to look like they are using the TTPs common for Iranian threat actors.

Eric Poynton
Eric Poynton

Lead Network Threat Hunter