The US Cybersecurity and Intelligence Agency has issued a joint advisory warning of potential cyberattacks from Iranian state-sponsored or affiliated threat actors.
“Over the past few months, there has been an increase in activity from actors related to Hattivists and the Iranian government, which is expected to escalate due to recent events,” the agency said.
“These cyber actors often exploit the targets of opportunity based on their use of less than or outdated software, accompanied by the use of default or common passwords on internet-connected accounts and devices, with known common vulnerabilities and exposures.”
Currently, there is no evidence of a collaborative campaign of malicious cyber activity caused by Iran, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Department of Defense Cybercrime Center (DC3), and the National Security Agency (NSA).
Emphasizing the need for a “increased vigilance,” the agency has selected Defense Industry Infrastructure (DIB) companies, particularly those with ties to Israeli research and defense companies, as an increase in risk. They added that US and Israeli entities could also be exposed to distributed denial of service (DDOS) attacks and ransomware campaigns.
Attackers often start with reconnaissance tools like Shodan to find vulnerable internet-facing devices, particularly in industrial control systems (ICS) environments. Once inside, they can exploit weak segmentation or misunderstood firewalls to move sideways across the network. Iranian groups have previously escalated access using remote access tools (rats), keyloggers, and even legal management utilities such as PSEXEC and Mimikatz.
Based on previous campaigns, attacks attached by Iranian threat actors leverage techniques such as automated password guessing, password hash cracking, and default manufacturer passwords to access devices exposed to the internet. It has also been found to violate operational technology (OT) networks by employing system engineering and diagnostic tools.
The development comes days after the Department of Homeland Security (DHS) issued its breaking news, urging US organizations to monitor “low-level cyberattacks” by Iranian hacktivists amid ongoing geopolitical tensions between Iran and Israel.
Last week, Check Point revealed that Iranian nation-state hacking group, tracked as APT35 target journalist, well-known cybersecurity expert and Israeli computer science professor, was tracked as part of a spear phishing campaign designed to use the Bogus Gmail login page or Google Meet Invitations to earn a Google account qualification.
As a mitigation, organizations are advised to follow the steps below –
It can identify and disconnect OT and ICS assets from the public internet, protect your devices and accounts with strong, unique passwords, replace weak or default passwords, and enforce multi-factor authentication (MFA). Improper changes, loss of vision, or loss of control adopt full system and data backup to promote recovery
For organizations wondering where to start, the real approach is to first look at the external attack surface. It’s which systems are public, which ports are open, and whether outdated services are still running. Tools such as CISA’s Cyber Hygiene Program and open source scanners such as NMAP can help attackers identify risks before they take place. By adjusting your defenses to the Miter ATT & CK framework, it is easier to prioritize protection based on the actual tactics used by threat actors.
“Despite the ceasefire and continued negotiations for a permanent solution, Iran-related cyber actors and groups of hattivists may still engage in malicious cyber activities,” the agency said.
Source link
