The US Federal Bureau of Investigation says that a threat actor known to be associated with Iran is currently seeking to acquire data from organizations across the globe, including US targets.
The actor has demonstrated interest in leaked data sets in various locations, including web forums and the dark web. The FBI judges this actor may attempt to leverage information in these leaked data sets, such as network information and email correspondence, to conduct their own cyber operations against US organizations.
FBI Private Industry Notification 20211108-001
The FBI said the threat actor wasn’t interested in a particular industry vertical but was seeking data in bulk.
“This actor has also demonstrated interest in obtaining unauthorized access to SCADA systems using common default passwords,” the agency added.
The FBI is now asking companies that have been at the center of a past hack where the data was leaked online to ensure that the leaked data can’t be abused to breach them again.
This includes patching systems exploited in the last hack, resetting passwords, warning employees, and protecting internet-exposed systems.
In addition, the FBI also released a collection of tactics, techniques, and procedures (TTPs) that the Iranian threat actor has leveraged in the past:
- Using auto-exploiter tools to build up a network of compromised WordPress sites for possible use as an RDP-scanning botnet, or to enable webshell access to targeted organizations.
- Using SQLmap to bypass Web Application Firewalls.
- Exploitation of the Kentico Content Management System.
- Attempting to enable Remote Desktop Protocol (RDP) on victim machines.
- Leveraging routers which may already have port-forwarding enabled for RDP.
- Brute forcing RDP.
- Using RDP port forwarding in conjunction with webshells, including the use of Tunna.
- Re-directing the home page or a ‘404’ page in a site using WordPress.
- Exploitation or interest in exploiting vulnerabilities tracked as CVE-2019-10068 (Kentico CMS), CVE-2008-3362 (WP Downloads Manager), CVE-2014-4725 (MailPoet Newsletters), CVE-2014-9735 (ThemePunch Slider Revolution), CVE-2015-1579 (Elegant Themes Divi theme), CVE-2015-4455 (Aviary Image Editor Add-on For Gravity Forms), CVE-2019-9879 (WPGraphQL), CVE-2015-8562 (Joomla CMS), CVE-2018-13379 (Fortinet), CVE-2020-10188 (Telnet), CVE-2020-1472 (Windows Netlogon).
- The use of VPNs to mask their location, using ervices, such as Private Internet Access, Atlas VPN, TiKNet VPN, VPN Master Lite, and CyberGhost.
The FBI PIN alert was market TLP:Amber, meaning we can’t publicly share it, as it was only sent to organizations the FBI believes would be targeted.
Source: Recorded Future