The FBI Cyber Division recently sent out notifications to its InfraGard members that there has been an increase in cyber attacks directed at the United States coming from the Islamic Republic of Iran. Related malicious activity and reconnaissance may not necessarily occur from Iranian IP addresses, however, as actors may utilize midpoint infrastructure in other countries. Likewise, not all traffic from Iranian IP addresses may be indicative of malicious activity. While it is good to be vigilant in general, the FBI has identified the several specific tactics being used by the malicious actors (aka bad guys) to access targeted systems and individual accounts. These attacks are in the form of spear-phishing, VPN vulnerability targeting and password spray attacks.
Spear-phishing refers to when malicious actors (aka, the bad guy) attempts to gain private information by posing as a legitimate service or organization that the user may interact with on a regular basis. It typically begins with an email that appears to be from an organization that the user is familiar with, such as a bank, Microsoft, Amazon, etc. The email contains a message that motivates the user to click a link that takes them to a page that looks like a legitimate logon page, but is not. The login credentials entered by the user are captured by the bad actor and used to further compromise the victim.
• Be aware of unsolicited contact on social media from any individual you do not know personally.
• Be aware of attempts to pass links or files via social media from anyone whom you do not know.
• Be aware of unsolicited requests to share a file via online services.
• Be aware of email messages conveying suspicious alerts or other online accounts, including login notifications from foreign countries or other alerts indicating attempted unauthorized access to your accounts.
• Be suspicious of emails purporting to be from legitimate online services. (e.g., the images in the email appear to be slightly pixelated and/or grainy, language in the email seems off, messages originate from an IP not attributable to that provider/company, etc.).
• Be suspicious of unsolicited email messages that contain shortened links (i.e., via TinyURL, bit.ly, etc.).
VPN (Virtual Private Network) Vulnerability Targeting
VPN Vulnerability Targeting is where malicious actors take advantage of known vulnerabilities in various VPN products. Just as Apple and Microsoft are constantly updating their operating systems with security patches, companies like Cisco and NetGear send out firmware updates and patches for their equipment and software. Malicious actors will attempt to take advantage of these vulnerabilities before patches can be applied in order to infiltrate your network and gain access to confidential information.
• Always apply security patches as soon as they are provided by the manufacturer.
• Schedule updates so that they occur automatically.
Password Spray Attacks
During a password spray attack, a malicious actor attempts a single password against a population of accounts before moving on to attempt a second password against the accounts, and so on. This technique allows the actor to remain undetected by avoiding account lockouts.
The malicious actors use a variety of techniques to conduct the attack. They determine their population by researching websites of organizations and identifying the pattern of user emails within the organization. They use easy-to-guess passwords such as “Password123!”. They utilize an already compromised account to reach out to contacts and colleagues of that user.
The current threat from Iran has specifically targeted individuals with the following profile:
• Single Sign On (SSO) and web-based applications such as O365 where the user doesn’t use Multi-Factor Authentication (MFA).
• Allows easy-to-guess passwords.
• Uses inbox synchronization allowing email to be pulled from the Microsoft cloud to a remote device.
• Allows email forwarding to be setup at the user level.
• Limited logging setup with Microsoft, creating difficulty for analysis after the fact.
Your IT department should have mitigation strategies in place to protect your organization in the form of password policies that users are required to follow… rules stating how long the password must be, how often users must change passwords, etc. Here are some additional actions that users can take to protect themselves both at work and at home:
• Use security features provided by social media platforms.
• Use strong passwords and change passwords frequently.
• Use a different password for each social media account.
• Use multi-factor (sometimes called two-factor) authentication on your accounts. This is also referred to as MFA or 2FA.
• Use a password management tool. Because we often have many online accounts, keeping up with passwords can become complicated. Luckily there are tools to help manage this. This article covers several available options: https://www.tomsguide.com/us/best-password-managers,review-3785.html
Cyber attacks are an ongoing battle and you should always be alert as you interact with the online world. This increase in activity is another reminder that the cyber world is the new frontier and you need to be hyper-vigilant at all times.
If you are concerned about your organization’s security policies and would like an assessment, contact Southwest Cyber Systems today.