Get a demo

News

Iran-based cyber actors targeting US organizations with ransomware attacks

Iran-based cyber actors are posing a significant threat to US organizations through ransomware attacks. Learn about their tactics, indicators of compromise, and effective mitigation strategies to protect your systems and data.

Tal Morgenstern | September 17, 2024

US and foreign organizations are urged to be aware of ongoing Iranian cyberattacks, according to a joint advisory from the FBI, CISA, and DC3.

TL;DR

Based on the CISA and FBI joint cybersecurity advisory, Iranian cyber actors are targeting US organizations with ransomware attacks. They’re exploiting vulnerabilities in public-facing networking devices to gain initial access and deploy ransomware. To protect yourself, patch your systems, implement strong security measures, monitor for suspicious activity, and report incidents to CISA.

Introduction

The Growing Threat of Iran-Based Cyber Actors 

In recent years, Iranian-based cyber actors have become increasingly active in targeting US organizations with ransomware attacks. These attacks can have devastating consequences, disrupting critical services, causing financial losses, and compromising sensitive data. It is essential for organizations to be aware of the threats posed by these actors and to take proactive steps to protect themselves. 

 

The Importance of preventative measures in Cybersecurity 

Cybersecurity is more important than ever in today’s digital age. With the increasing reliance on technology, organizations of all sizes are vulnerable to cyberattacks. Ransomware attacks are particularly dangerous because they can encrypt critical data, making it inaccessible until a ransom is paid. This can lead to significant disruptions and financial losses. 

By understanding the tactics, techniques, and procedures (TTPs) used by Iran-based cyber actors, organizations can take steps to prevent and mitigate the risks associated with ransomware attacks. 

 

Tactics, Techniques, and Procedures (TTPs) Used by Iran-Based Cyber Actors 

Iran-based cyber actors have been observed using a variety of tactics, techniques, and procedures (TTPs) to target US organizations with ransomware attacks. they start off by exploiting public-facing networking devices to gain initial access to target systems. This includes: 

  • Check Point Security Gateway The actors have exploited vulnerabilities in Check Point Security Gateways, such as CVE-2024-24919 to gain access to sensitive information

  • Citrix Netscaler: The actors have exploited vulnerabilities in Citrix Netscaler, such as CVE-2019-19781 and CVE-2023-3519, to gain unauthorized access. 
  • F5 BIG-IP: The actors have exploited vulnerabilities in F5 BIG-IP, such as CVE-2022-1388, to gain unauthorized access. 
  • Pulse Secure/Ivanti VPNs: The actors have exploited vulnerabilities in Pulse Secure/Ivanti VPNs, such as CVE-2024-21887, to gain unauthorized access. 
  • PanOS firewalls: The actors have exploited vulnerabilities in PanOS firewalls, such as CVE-2024-3400, to gain unauthorized access. 

After gaining access they use multiple techniques to remain persistent, create a backdoor to communicate with C&C, and start malicious activities such as data exfiltration, remote access, and ransomware.

 

Indicators of Compromise (IOCs) 

The article mentions that the CISA has released a list of Indicators of Compromise (IOCs) that can be used to identify and detect ransomware attacks by Iran-based cyber actors. These IOCs include: 

  • IP addresses: The article mentions a list of IP addresses associated with the actors. 
  • Domains: The article mentions a list of domains associated with the actors. 
  • Hash values: The article mentions a list of hash values associated with the malware used by the actors. 

Organizations can use these IOCs to monitor their networks for suspicious activity and to detect potential ransomware attacks. 

 

Recommendations 

To protect themselves from ransomware attacks by Iran-based cyber actors, organizations should take the following steps: 

  • Patch systems and update software regularly: Ensure that all systems and software are patched with the latest security updates to address known vulnerabilities. 
  • Implement strong security measures: Implement strong security measures to protect public-facing devices, such as firewalls, intrusion detection systems, and access controls(especially multifactor authentication). 
  • Monitor systems for suspicious activity: Regularly monitor systems for suspicious activity, such as unusual network traffic, unauthorized access attempts, or unusual file activity. 
  • Report incidents to CISA: Report any incidents of cyberattacks to the Cybersecurity and Infrastructure Security Agency (CISA). 

By following these recommendations, organizations can reduce their risk of being targeted by Iran-based cyber actors and mitigate the potential damage of a ransomware attack. 

 

Conclusion 

Iran-based cyber actors pose a significant threat to US organizations, particularly through ransomware attacks. 

These attacks may also steal data or damage additional systems using the ransomware as a cover. By understanding the tactics, techniques, and procedures used by these actors, organizations can take steps to protect themselves and mitigate the potential damage of a ransomware attack. 

It is important to note that cybersecurity is an ongoing process. Organizations must remain vigilant and continue to update their security measures to stay ahead of evolving threats. By taking a proactive approach to cybersecurity, organizations can reduce their risk of being targeted by Iran-based cyber actors and protect their critical infrastructure. 

Get rid of silos;

Start owning exposure risk

Test drive the leader in exposure risk management