What The Continued Escalation of Tensions in the Middle East Means For Security (Jan 8, 2019)
Researchers at Cisco Talos are working to evaluate potential Iranian threats and attack vectors, especially those impacting critical infrastructure and high-profile businesses. In a blog post, the Cisco Talos team discusses the aspects and indicators of prior campaigns in the Middle East, and more specifically, Iranian-attributed campaigns, and shines some light on likely tactics of future campaigns. Iran has been an active cyber adversary to the U.S. since 2011, with attribution in large-scale denial-of-service attacks and campaigns with “Shamoon” and “ZeroCleare” data-wiper malware. They are believed to have conducted espionage campaigns against universities and companies to steal research and intellectual property, and attack DNS infrastructures using social engineering and watering hole techniques against target organizations. Talos highlights the willingness of threat actors in the region to attack critical components of the Internet, most notably DNS, and elaborates that the heightened political tensions can make for a very dangerous adversary.
Recommendation: CISA and Cisco Talos recommend two major courses of action in the face of potential threat from Iranian actors: vulnerability mitigation and incident preparation. It is important to follow mitigation and detection recommendations regarding publicly known Iranian APT techniques based on the MITRE ATT&CK Framework. Disable all unnecessary ports and protocols, monitor common ports and protocols for command and control activity, review network signatures and indicators for focused operations activities, monitor for new phishing themes and adjust email rules accordingly, patch externally facing equipment, andensure backups are up to date.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.