SafeBreach Hacker’s Playbook Updated for US-CERT Alert (AA21-321A) Iranian Government-Sponsored Malicious Cyber Activities
US Cert Alerts
On November 17th, the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), the Federal Bureau of Investigation (FBI), the Australian Cyber Security Centre (ACSC), and the United Kingdom’s National Cyber Security Centre (NCSC) issued an alert to highlight ongoing malicious cyber activity by an advanced persistent threat (APT) group that FBI, CISA, ACSC, and NCSC assess is associated with the government of Iran. Details of the various tactics, techniques, and procedures (TTPs) are described in US-CERT Alert (AA21-321A) - Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities.
According to the information available, these state-sponsored threat actors have targeted a broad range of victims across multiple U.S. critical infrastructure sectors, including the transportation sector, healthcare and public health sector, as well as several Australian organizations. The attacks aimed to – steal and exfiltrate sensitive information as well as encrypt the data and hold it for a ransom. The attacks began in March 2021 and were initiated by exploiting the following existing vulnerabilities in Microsoft Exchange and Fortinet devices:
Once the attackers successfully exploited the vulnerabilities and gained access, they hijacked legitimate tools and processes (including - MicrosoftOutlookUpdater, MimiKatz, WinPEAS, WMI, FileZilla, Bitlocker) to install malware/ ransomware, escalate privileges, move laterally, steal and exfiltrate sensitive data, and hold it for ransom by encrypting it on their way out.
NOTE - The SafeBreach Hacker’s Playbook has been updated to include the newly discovered tactics and techniques from this US-CERT alert. We encourage you to test your preparedness against the Iranian threat groups by running the attacks listed below. Additionally, we would also recommend you consider running/ re-running attacks described in US-CERT AA21-259A and US-CERT AA21-296B to ensure a more comprehensive level of protection against Iranian state-sponsored APT groups.
We would also like to highlight that existing SafeBreach customers already had a certain level of protection against these attacks as the Hacker’s Playbook already included many (13) of the tactics, techniques, and procedures (TTPs) preferred by the Iranian APT groups (including the ones being reused for the current attacks). These attacks can be seen below:
The newly updated and existing attack methods for US-CERT Alert AA21-321A (Iranian Threat Actors) are already in the SafeBreach Hacker’s playbook and ready to be run across your simulators. The Known Attack Series report is updated so you can run the specific attacks from this US-CERT alert. From the Known Attack Series report, select the US-CERT Alert AA21-321A (Iranian Threat Actors) report and select Run Simulations which will run all attack methods.
You can also select all the attacks related to US-CERT Alert AA21-321A (Iranian Threat Actors), by going to the SafeBreach Playbook and filtering by Threat Name – US-CERT Alert AA21-321A (Iranian Threat Actors)
or you can go to the “SafeBreach Scenarios” page, scroll to the “Known Attack Series” and choose the US-CERT Alert AA21-321A (Iranian Threat Actors) scenario from the list of available scenarios.