The FBI has issued an alert detailing an Iranian group’s tools, techniques and tactics, giving U.S. organizations advice on how to defend against its malicious cyber activities.
In October 2021, a grand jury in the U.S. District Court for the Southern District of New York indicted two Iranian nationals employed by Emennet Pasargad for computer intrusion, computer fraud, voter intimidation, interstate threats, and misdemeanor conspiracy for their alleged participation in a campaign to influence and interfere with the 2020 US presidential election.
The Treasury Department’s Office of Foreign Assets Control named Emennet along with four members of the company’s management and the two employees charged with trying to influence the election. The State Department’s Justice Rewards Program has also offered up to $10 million for information about the two indicted actors.
SEE: A winning strategy for cybersecurity (ZDNet special report)
But FBI information indicates that Emennet poses a broader cybersecurity threat outside of information operations.
“Since 2018, Emennet has been conducting a traditional cyber mining business targeting multiple industries, including information, shipping, travel (hotels and airlines), oil and petrochemicals, finance and telecommunications, in the United States, in Europe and the Middle East. It said.
Emennet is known to use virtual private network (VPN) services TorGuard, CyberGhost, NordVPN and Private Internet Access. The group also uses web research to identify major US commercial brands, then scans their websites for vulnerabilities to exploit. In some cases, but not all, the exploit attempts were targeted and the group also attempted to identify hosting and shared hosting services.
Emennet was particularly interested in finding web pages running PHP code and identifying externally accessible MySQL databases, particularly phpMyAdmin. They were also keen on WordPress, the most popular CMS on the web, as well as Drupal and Apache Tomcat.
“During research, Emennet attempted to identify the default passwords for particular applications that a target might use, and attempted to identify the administration and/or login pages associated with those same sites. Targeted Web sites. It must be assumed that Emennet can try common plaintext passwords for any login sites they identify,” the FBI warned.
He said the group tried to take advantage of cyber intrusions carried out by other actors for their own benefit, for example by looking for data hacked and leaked by other actors, and trying to identify webshells that could have been placed or used by other cyber actors.
The group also uses a range of open source intrusion testing and research tools, including SQLmap, and it likely uses additional tools: DefenseCode Web Security Scanner, Wappalyzer, Dnsdumpster, Tiny mce scanner, Netsparker, WordPress security scanner (wpscan), and, of course, Shodan.
Michael George, CEO of Invicti Security, Netsparker’s parent company, said, “We have no evidence of any such use on licensed versions of our software that would be in clear violation of our service agreements. We are blocking actively use authorized versions of our software by location-restricted parties and other know-your-customer (KYC) best practices.Invicti Security remains committed to the highest ethical standards and to ensuring that our customers are able to permanently secure their web applications.