The Federal Bureau of Investigation (FBI) has warned private business partners about an Iranian threat actor’s attempt to purchase stolen information on US and international organizations. The warning was contained in a TLP:AMBER private industry notice (PIN).
The FBI said that the threat actor would most likely employ leaked material (e.g., emails and network information) purchased from clear and dark web sources to hack into linked firms’ systems. According to the FBI, US firms that have previously had data stolen and released online could expect to be targeted in future cyberattacks orchestrated by this unknown Iranian threat actor.
The FBI lists auto-exploiter tools used to attack WordPress sites to deploy web shells, as well as compromising RDP servers and exploiting them to maintain access to victims’ networks, among the Tactics, Techniques, and Procedures (TTPs) employed in operations by this threat actor.
Using popular default passwords, this threat actor also attempts to infiltrate supervisory control and data acquisition (SCADA) systems. Organizations at risk should take precautions to prevent hacking attempts by safeguarding Remote Desktop Protocol (RDP) servers, Web Application Firewalls, and Kentico CMS installations.
While the FBI did not name the Iranian threat actor in the PIN, the use of site pentesting tools and vulnerability scanners like Acunetix and SQLmap to detect weak servers connects it to previous campaigns orchestrated by an Iranian state-backed hacking gang.
In a confidential industry notice released last week, the FBI’s Cyber Division also warned that ransomware gangs had breached the networks of many tribal-owned casinos, knocking down their servers and disabling linked systems. During the same week, the government agency also warned the public that criminals are increasingly exploiting bitcoin ATMs and QR codes to commit fraud, making it more difficult for law enforcement to recoup victims’ losses.