S3E1: Spotlight Iran - from Cain & Abel to full SANDSPY
State of the Hack
English - January 17, 2020 18:00 - 53 minutes - 37.1 MB - ★★★★★ - 28 ratingsTechnology News Tech News fireeye mandiant cybersecurity malware hacker Homepage Download Apple Podcasts Google Podcasts Overcast Castro Pocket Casts RSS feed
In response to increased U.S.-Iran tensions stemming from the recent
death of Quds Force leader Qasem Soleimani by U.S. forces and concerns
of potential retaliatory cyber attacks, we're bringing the latest from
our front-line experts on all things Iran. Christopher Glyer and Nick
Carr are joined by Sarah Jones (@sj94356) and Andrew Thompson
(@QW5kcmV3) to provide a glimpse into Iran-nexus threat groups -
including APT33, APT34, APT35, APT39, and TEMP.Zagros - as well as the
freshest actionable information on suspected Iranian uncategorized
(UNC) groups that are active right now.
We get right into it with a picture of Iranian compromise activity
from just a few years ago - what we observed and the basic,
cookie-cutter approach to their intrusions - and then begin to walk
through the stark contrast to their TTPs today. We discuss how and why
their Computer Network Operations (CNO) has evolved quickly and
provide a detailed walk through all of the graduated Iranian APT
groups.
Our experts share their experiences with each group, moments in time
that surprised or impressed us from Iranian threat actors, and notable
shifts in behavior - as well as our standing questions. Iranian
intrusion operators have come a long way from DDoS & defacement, basic
scanning, Cain & Abel and ASPXspy... to DNS hijacking, social
engineering via LinkedIn, information operations, and backdoors like
QUADAGENT, SANDSPY, TANKSHELL - then filling in the gaps with the
quick adoption of offensive security post-compromise tools and
techniques.
We close this first episode of season 3 with an overview of actionable
mitigations to secure against both Iranian intrusions and several
other threats, including disruptive and destructive ransomware
attacks. For more information on these mitigations as well as our
public source material supporting the discussion from the show, please
check out:
• APT33 graduation:
https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-in
to-iranian-cyber-espionage.html
https://www.brighttalk.com/webcast/10703/275683
• APT33 webinar & examples:
https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-i
n-middle-east-by-apt34.html
• An example TEMP.Zagros phishing campaign:
https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-gr
oup-updates-ttps-in-spear-phishing-campaign.html
• APT35 highlights in MTrends 2018:
https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf
• Iranian information operations:
https://www.fireeye.com/blog/threat-research/2018/08/suspected-iranian
-influence-operation.html
• RULER home page usage by Iranian groups & mitigations:
https://www.fireeye.com/blog/threat-research/2018/12/overruled-contain
ing-a-potentially-destructive-adversary.html
• APT39 graduation:
https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyb
er-espionage-group-focused-on-personal-information.html
• Iranian DNS Hijacking (DNSpionage):
https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijack
ing-campaign-dns-record-manipulation-at-scale.html
• More Iranian influence operations:
https://www.fireeye.com/blog/threat-research/2019/05/social-media-netw
ork-impersonates-us-political-candidates-supports-iranian-interests.ht
ml
• APT34 social engineering via LinkedIn:
http://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declinin
g-apt34-invite-to-join-their-professional-network.html
• FireEye response to mounting U.S.-Iran tensions:
https://www.fireeye.com/blog/products-and-services/2020/01/fireeye-res
ponse-to-mounting-us-iran-tensions.html
• U.S.-Iran tensions webinar & mitigations overview:
https://www.brighttalk.com/webcast/7451/382779