Threat Coverage

Sep 16, 2020

SafeBreach Hacker’s Playbook Updated for US-CERT Alert (AA20-259A) Iran-Based Threat Actor Exploits VPN Vulnerabilities


SafeBreach Labs has updated the Hacker’s Playbook™ with new attack methods for malware samples described in US-CERT Iran-Based Threat Actor Exploits VPN Vulnerabilities, which addresses yet another serious threat group leveraging known VPN vulnerabilities. CISA also issued US-CERT Alert AA20-258A identifying the Chinese Ministry of State Security-affiliated threat actors using similar techniques exploiting the same vulnerabilities. Read more in the US-CERT Alert AA20-258A Blog.

52 newly developed playbook methods related to AA20-259A:

  • #5436 – Transfer of ar20-259awebshell1 malware over HTTP/S (Lateral Movement)
  • #5435 – Write ar20-259awebshell1 malware to disk (Host-Level)
  • #5437 – Transfer of ar20-259awebshell1 malware over HTTP/S (Infiltration)
  • #5438 – Email ar20-259awebshell1 malware as a ZIP attachment (Lateral Movement)
  • #5439 – Email ar20-259awebshell1 malware as a ZIP attachment (Infiltration)
  • #5440 – Write ar20-259awebshell2 malware to disk (Host-Level)
  • #5441 – Transfer of ar20-259awebshell2 malware over HTTP/S (Lateral Movement)
  • #5442 – Transfer of ar20-259awebshell2 malware over HTTP/S (Infiltration)
  • #5443 – Email ar20-259awebshell2 malware as a ZIP attachment (Lateral Movement)
  • #5444 – Email ar20-259awebshell2 malware as a ZIP attachment (Infiltration)
  • #5445 – Write ar20-259awebshell3 malware to disk (Host-Level)
  • #5446 – Transfer of ar20-259awebshell3 malware over HTTP/S (Lateral Movement)
  • #5447 – Transfer of ar20-259awebshell3 malware over HTTP/S (Infiltration)
  • #5448 – Email ar20-259awebshell3 malware as a ZIP attachment (Lateral Movement)
  • #5449 – Email ar20-259awebshell3 malware as a ZIP attachment (Infiltration)
  • #5450 – Write ar20-259akeethiefpowershell malware to disk (Host-Level)
  • #5451 – Transfer of ar20-259akeethiefpowershell malware over HTTP/S (Lateral Movement)
  • #5452 – Transfer of ar20-259akeethiefpowershell malware over HTTP/S (Infiltration)
  • #5453 – Email ar20-259akeethiefpowershell malware as a ZIP attachment (Lateral Movement)
  • #5454 – Email ar20-259akeethiefpowershell malware as a ZIP attachment (Infiltration)
  • #5455 – Pre-execution phase of ar20-259akeethiefexe malware (Host-Level)
  • #5456 – Write ar20-259akeethiefexe malware to disk (Host-Level)
  • #5457 – Transfer of ar20-259akeethiefexe malware over HTTP/S (Lateral Movement)
  • #5458 – Transfer of ar20-259akeethiefexe malware over HTTP/S (Infiltration)
  • #5459 – Email ar20-259akeethiefexe malware as a ZIP attachment (Lateral Movement)
  • #5460 – Email ar20-259akeethiefexe malware as a ZIP attachment (Infiltration)
  • #5461 – Pre-execution phase of ar20-259a_chisel malware (Host-Level)
  • #5462 – Write ar20-259a_chisel malware to disk (Host-Level)
  • #5463 – Transfer of ar20-259a_chisel malware over HTTP/S (Lateral Movement)
  • #5464 – Transfer of ar20-259a_chisel malware over HTTP/S (Infiltration)
  • #5465 – Email ar20-259a_chisel malware as a ZIP attachment (Lateral Movement)
  • #5466 – Email ar20-259a_chisel malware as a ZIP attachment (Infiltration)
  • #5467 – Pre-execution phase of ar20-259aangryip_scanner malware (Host-Level)
  • #5468 – Write ar20-259aangryip_scanner malware to disk (Host-Level)
  • #5469 – Transfer of ar20-259aangryip_scanner malware over HTTP/S (Lateral Movement)
  • #5470 – Transfer of ar20-259aangryip_scanner malware over HTTP/S (Infiltration)
  • #5471 – Email ar20-259aangryip_scanner malware as a ZIP attachment (Lateral Movement)
  • #5472 – Email ar20-259aangryip_scanner malware as a ZIP attachment (Infiltration)
  • #5473 – Pre-execution phase of ar20-259a_nmap malware (Host-Level)
  • #5474 – Write ar20-259a_nmap malware to disk (Host-Level)
  • #5475 – Transfer of ar20-259a_nmap malware over HTTP/S (Lateral Movement)
  • #5476 – Transfer of ar20-259a_nmap malware over HTTP/S (Infiltration)
  • #5477 – Email ar20-259a_nmap malware as a ZIP attachment (Lateral Movement)
  • #5478 – Email ar20-259a_nmap malware as a ZIP attachment (Infiltration)
  • #5479 – Write ar20-259a_drupwn malware to disk (Host-Level)
  • #5480 – Transfer of ar20-259a_drupwn malware over HTTP/S (Lateral Movement)
  • #5481 – Transfer of ar20-259a_drupwn malware over HTTP/S (Infiltration)
  • #5482 – Email ar20-259a_drupwn malware as a ZIP attachment (Lateral Movement)
  • #5483 – Email ar20-259a_drupwn malware as a ZIP attachment (Infiltration)
  • #5484 – Communication with ar20-259atinyweb_shell using HTTP
  • #5485 – Communication with ar20-259achunkytuna using HTTP
  • #5486 – Communication with ar20-259a_Chisel using HTTP

Gain insight into vulnerabilities that are exploitable

Prioritizing vulnerabilities is a challenge most organizations struggle with because there are far too many vulnerabilities that are classified as high-priority. Adopting a Risk-Based Vulnerability Management to gain data-driven insights into which vulnerabilities are actually exploitable in your environment is critical. Correctly identifying which high-priority vulnerabilities truly constitute risk enables security teams to ensure they are all mitigated, so a company will not suffer damage from these attacks.

Learn More about SafeBreach Risk-Based Vulnerability Management

What you should do now

The new attack methods for US-CERT AA20-259A are already in the SafeBreach Hacker’s Playbook and ready to be run across your simulators. The Known Attack Series report is being updated so you can run the specific attacks from this US-CERT alert. From the Known Attack Series report, select the US-CERT Alert AA20-259A (Iran-Based Threat Actor) report and select Run Simulations which will run all the attack methods.

Get the latest
research and news