How to Prevent Cyber Attacks from Iran

With tensions between Iran and the United States reaching a fever pitch following a series of deadly provocations, U.S. businesses should be bracing for heavily anticipated Iranian cyberattacks over the coming months. The Islamic Republic of Iran has a long history of waging state-sponsored cyberwarfare against institutions that threaten their geopolitical or military standing and, as the region’s core technological capabilities continue to evolve, it is more important than ever to protect your valuable data with enhanced cybersecurity measures.

Many of the tactics that Iranian-backed attackers are known to leverage against their targets are not new to the IT world. However, the rate at which these attacks are launched and the number of entities targeted is expected to grow at a dramatic clip given the recent events exacerbating long-standing friction between the U.S. and Iran.

Don’t let your business or organization fall victim to these attacks. The only foolproof way to ensure cybersecurity for your business and to give you the peace of mind you deserve is to hire professional IT support. The future of your business is too valuable, the risks too great and the threats too advanced to effectively prevent on your own.

Should professional IT support not be immediately available, however, it is important to understand what the most prevalent and persistent Iranian cyberattacks are to look out for and how to take preventative measures against them. Here is a breakdown of some common cyberattacks to come from Iran and the immediate actions that can be taken to quickly detect the attacks and mitigate their potential damage.

Credential Dumping

Credential dumping is the process of obtaining account login and password information from operating systems and software. If your organization uses a Linux operating system, the AuditD monitoring tool can be used to detect hostile processes used to open maps files, while those running on a Windows operating system should be on the lookout for unexpected processes interacting with Isass.exe.

To mitigate the damage wrought by credential dumping attacks, consider managing the access control list for “Replicating Directory Changes”, disabling or restricting NTLM, limiting credential overlap and ensuring that local administrator accounts have unique and complex passwords.

Obfuscated Files or Information

Obfuscation is commonly used to disguise easily identifiable code or data within a malware sample. Like with credential dumping attacks, early detection of obfuscation on Windows can be achieved by monitoring for unexpected processes interacting with Isass.exe while the Linux AuditD monitoring tool can be leveraged to watch for hostile processes used to open maps files.

To mitigate the potential damage of these attacks, consider utilizing the Antimalware Scan Interface on Windows 10, which analyzes commands after being processed or interpreted.

Data Compressed

While data encryption is more important than ever due to increasing and evolving threats to data and network security, it is worth noting that many applications that encrypt data first compress the data set, which, in certain cases, may compromise the confidentiality of the transmitted data. In order to block specific file types from leaving the network over unencrypted channels, it is important to utilize network intrusion prevention or data loss prevention tools. Additionally, early detection of this issue can be achieved by monitoring for command-line arguments for known compression utilities and using data loss prevention systems to find compressed files in transit during exfiltration.

PowerShell

Windows PowerShell is a task-based command-line shell and scripting language designed for system administration. To prevent attacks on PowerShell, consider setting the execution policy to execute only signed scripts. You can also remove the applications from systems when not needed, disable or restrict the WINRM Service to help prevent remote uses of PowerShell and restrict PowerShell execution policy to administrators only.

Scripting

Cross-Site Scripting attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. To protect yourself or your business from these kinds of attacks, consider utilizing virtualization and application micro-segmentation tactics like working in a sandbox environment and blocking macros through group policy. Also consider turning off unused features or restricting access to scripting engines.

For early detection of scripting attacks, examine scripting user restrictions for systems that could be considered suspicious, monitor processes and command-line arguments for script execution and subsequent behavior and analyze Office file attachments for potentially malicious macros.

Registry Run Keys and Startup Folders

Adding an entry to the “run keys” in your Registry or startup folder will cause the program referenced to be executed when a user logs in with the account’s associated permissions level. Unfortunately, attacks to exploit these configurations are fairly common and cannot be easily mitigated with preventive controls since they are based on the abuse of system failures. You can detect when these types of attacks are taking place, however, by monitoring the Registry for changes to run keys that do not correlate with known software, monitoring the start folder for additions or changes and looking for chains of behavior that are indicative of malicious behavior, as opposed to isolated events.

Remote File Copy

Files can be copied from one system to another to stage adversary tools or other files over the course of an operation. Cyber attackers do this to bring tools into the victim network through alternate protocols with another tool like FTP.

Early detection of these types of attacks can be achieved by monitoring for file creation and transfer within a network over SMB, monitoring the use of utilities like FTP that typically do not occur, analyzing network data for uncommon data flows and analyzing packet contents to detect communications that do not follow expected protocol.

Spearphishing Links

Certain spearphishing tactics involve the use of links to download malware contained in emails in order to avoid defenses that may inspect email attachments. Avoid succumbing to these attacks by determining if certain websites that can be used for spearphishing are necessary for business operations and blocking access if activity cannot be appropriately monitored. Also consider training active users in your organization to identify social engineering techniques and spearphishing emails with malicious links. Diagnostic techniques to detect link-based spearphishing include inspecting full URLs within emails and employing detonation chambers.

Spearphishing Attachments

Where link-based spearphishing contains malicious malware within the contents of the email, attachment-based spearphishing seeks to entice victims to open an email attachment containing malware.

Luckily, there are a number of steps you can take to mitigate the potential damage from these attacks. Anti-virus can automatically quarantine suspicious files and network intrusion prevention systems can be used to block harmful activity. Additional preventative measures include blocking unknown or unused attachments by default, using email scanning devices to analyze compressed or encrypted formats and training active users in your organization to identify social engineering techniques and spearphishing emails.

To detect these attacks before they cause irreparable damage, consider using email gateways that can identify malicious attachments in transit, detonation chambers or standard anti-virus software, which can potentially detect malicious documents and attachments as they’re scanned to be stored on the email server of the user’s computer.