US security agencies warn of Iranian cyberattacks on infrastructure

The leading U.S. security agencies put out a warning June 30 that federal agencies and American businesses should be on heightened alert for attacks on critical infrastructure in the form of distributed-denial-of-service (DDoS) attacks and ransomware incidents.Despite a declared ceasefire and ongoing negotiations towards a permanent settlement in the Middle East, U.S. security agencies said cyber actors affiliated with the Iranian Islamic Revolutionary Guard Corps (IRGC) may target U.S. devices and networks.“These actors have historically targeted poorly secured U.S. networks and internet-connected devices for disruptive cyberattacks, often exploiting targets of opportunity, outdated software, and the use of default or common passwords on internet-connected accounts and devices,” said the advisory.The joint warning was issued by the The National Security Agency, the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the Department of Defense Cyber Crime Center (DC3).Iranian groups have been targeting the United States for many years, so teams need to be on guard for multi-factor authentication (MFA) attacks, ensure they have robust microsegmentation controls and are monitoring for administrator credential use and powershell, which tend to be common for living-off-the- land, said Lawrence Pingree, vice president at Disperive.io.“In general, if teams can remove packages like powershell, and reduce admin privileges along with microsegmentation and identity monitoring, these are the best approaches to defeat threats,” said Pingree.Chris Grove, director, cybersecurity strategy at Nozomi Networks, added that U.S. organizations must stay on elevated alert for cyber-specific retaliation, even amid a ceasefire. Grove said the IRGC has been known to strike quickly, and globally, and now that they have motive, precedent and the capability to cause disruption, an attack is almost imminent.“All operators should heed the joint warning from CISA, the FBI, and others that vulnerable networks are likely to be prime targets,” said Grove. “Especially as we head into a holiday week, vigilance and preventive action is key as threat actors are already known to strike when they think no one is watching, let alone during a geopolitical conflict.”Grove said specific groups we should watch for, as well as their typical targets and methodology, are:

James Maude, Field CTO at BeyondTrust, added that securing remote access remains one of the top priorities for many organizations, especially in high risk, OT and ICS environments which teams must keep well away from the public internet. Maude said organizations need to think about how to securely manage privileged access into their critical environments, and ensure that employees, vendors, and third parties have just the access and permissions needed to do their job without additional risk exposure.“This can be combined with real-time monitoring and controls to audit and terminate access in the event of identity compromise,” said Maude. “Relying on VPNs or Remote Desktop alone is not enough and risks introducing additional attack vectors. Beyond remote access an important defence is to reduce standing privileges in the environment so that in the event an identity gets compromised the ‘blast radius’ is limited.”Bryan Cunningham, president at Liberty Defense, said the Iranian regime may be battered, but they’re not defeated. He said there are at least two scenarios in which the Iranians might lash out at the West and the U.S.:

“In either case, the risk – cyber and physical – is higher today than at any recent time,” said Cunningham. “Americans, at home and abroad, should be acutely aware of their surroundings and be especially vigilant at public gathering places. This includes synagogues, churches, government events, and large entertainment or sports venues.”