Iranian Flag

Iran’s Potential Cyber Threat: What to Know

Geopolitical Impacts

Ostra’s threat intelligence partner, FireEye, assesses with high confidence that Iranian cyber espionage presents a high-frequency, serious intensity threat particularly to organizations in the government, oil and gas, telecommunications, and financial services industries located in the United States, Saudi Arabia, and other Middle Eastern countries.  Historically state-sponsored actors have conducted cyber espionage or intentionally destructive attacks as retaliation or revenge for geopolitical or military events.

Mitigation Strategies

Historically malicious attacks originating from Iran have utilized a wide range of tactics.

Current Action

FireEye has all known Iranian malware virus signatures and automatically pushed out to all licenses. FireEye will continuously automatically update all licenses as future malware viruses become known.

 

Potential Tactics & Recommended Mitigations

Tactic:  Password Spraying – the attempt to harvest legitimate login credentials by trying common passwords against a large number of accounts.

Mitigation:  Follow standard password and authentication best practices including;

  • Thorough investigation of anomalous login attempts
  • Multi-factor authentication for remote access
  • Account audits to ensure all are appropriately terminated and have current authentication controls applied

Tactic: VPN Vulnerability Scanning

Mitigation: Ostra ensures our clients’ VPN solution is up to date and patched.   We monitors user login and system event logs. 

Tactic:  DNS Hijacking – Domain name system, is the renaming of IP addresses into human sounding names like google.com.  Hackers alter DNS server records in order to make a malicious site appear legitimate)

Mitigation:

  • Implement multi-factor authentication on domain registrar accounts
  • Audit DNS records
  • Monitor SSL certificate transparency logs and revoke any fraudulently issued certificates. 

Tactic:  Spearphishing – email fraud that is targeted to a particular person or company.

Mitigation:

  • Ensure all device Operating System and applications are up-to-date and fully patched
  • Educate users to
    • Validate links and attachments before opening,
    • Validate the legitimacy of the sender,
    • Request secondary validation of unexpected links or attachments

Tactic:  Social Media – Iranian actors have used complex social engineering tactics on social media to influence opinion and to perpetrate attacks.

Mitigation:

  • Be extra cautious of files and links shared on social media sites.
  • Validate the identity of unexpected contact through secondary means.

Ransomware Shuts Down Tele-Fundraising Company

Company closes doors without notice.

A tele-fundraising firm in Arkansas shut down, telling employees they should “search for other employment,” after recovery efforts from a ransomware attack failed. The Heritage Company lost hundreds of thousands of dollars after they paid a ransom to the attackers but still were unable to restore systems. After two months of data recovery efforts, the company was unable to regain control of systems or the situation.

“Once we were hit with this terrible virus we were told time and time again that things would be better each week, and then the next week, and the week after that.”

 

The attack took place at the beginning of October 2019, but was not made public to employees while the company struggled to repair and contain the damage. CEO Sandra Franecke released a letter to employees late in December explaining that over the weeks and months of recovery efforts, leaders didn’t understand the extent of damage. Company executives also did not appreciate the difficulty the company would face to recover key systems, such as accounting or mail processing.

 

 

 

“Even if they call back it would be really hard to trust.”

 

The timing and sudden announcement of the closure, two days before Christmas, and the uncertain future of the company left employees reeling. Former employees were asked to call a hotline to receive an update on their job status. A pre-recorded message informed them on January 2 that recovery efforts were ongoing with “much work that needs to be done.” Employees who spoke to the media said they are looking for employment somewhere else and they don’t think Heritage will open again anytime soon. The company has been in business for 61 years.

The cost of fallout from a ransomware infection may be too much for a small business to bear. Funds to pay a ransom demand, rebuild IT infrastructure, and support struggling operations may not be available. As Franecke stated of the attack on Heritage, “I have been doing my utmost best to keep our doors open, even going as far as paying your wages from my own money to keep us going until we could recoup what we lost due to the cyber attack.” Small businesses facing these circumstances may have no other choice but to shut down for good.

At Ostra, we believe this doesn’t have to happen. We are committed to protecting small businesses without large IT budgets or cyber security expertise with the same top-of-the-line cyber security tools that protect large organizations. Partner with Ostra for Enterprise Grade Security to prevent ransomware and the costly aftermath of an attack.