The FBI has issued an alert detailing the tools, techniques and tactics of an Iranian group, giving US organizations tips to defend against its malicious cyber activities.
Back in October 2021, a grand jury in the US District Court for the Southern District of New York indicted two Iranian nationals employed by Emennet Pasargad for computer intrusion, computer fraud, voter intimidation, interstate threats, and conspiracy offenses for their alleged participation in a campaign aimed at influencing and interfering with the 2020 US Presidential Election.
The Department of the Treasury Office of Foreign Assets Control designated Emennet along with four members of the company’s management and the two indicted employees for attempting to influence the election. The Department of State’s Rewards for Justice Program also offered up to $10 million for information on the two indicted actors.
But the FBI information indicates Emennet poses a broader cybersecurity threat outside of information operations.
“Since 2018, Emennet has conducted traditional cyber exploitation activity targeting several sectors, including news, shipping, travel (hotels and airlines), oil and petrochemical, financial, and telecommunications, in the United States, Europe, and the Middle East,” it said.
Emennet is known to use virtual private network (VPN) services TorGuard, CyberGhost, NordVPN, and Private Internet Access. The group also uses web search to identify leading US business brands and then scans their websites for vulnerabilities to exploit. In some but not all cases, the exploit attempts were targeted and the group would also try to identify hosting and shared hosting services.
Emennet was particularly interested in finding webpages running PHP code and identifying externally accessible MySQL databases, in particular phpMyAdmin. They also were keen on WordPress, the most popular CMS on the web, as well as Drupal and Apache Tomcat.
“When conducting research, Emennet attempted to identify default passwords for particular applications a target may be using, and tried to identify admin and/or login pages associated with those same targeted websites. It should be assumed Emennet may attempt common plaintext passwords for any login sites they identify,” the FBI warned.
It said the group has attempted to leverage cyber intrusions conducted by other actors for their own benefit, for example searching for data hacked and leaked by other actors, and attempting to identify webshells that may have been placed or used by other cyber actors.
The group also uses a range of open-source penetration testing and research tools, including SQLmap, and it probably uses additional tools: DefenseCode Web Security Scanner, Wappalyzer, Dnsdumpster, Tiny mce scanner, Netsparker, WordPress security scanner (wpscan), and, of course, Shodan.
Michael George, CEO of Invicti Security, the parent company of Netsparker, said: “We have no evidence of any such use on authorized versions of our software which would be in clear violation of our service agreements. We actively block use of authorized versions of our software by restricted parties based on location and other know your customer (KYC) best practices. Invicti Security remains committed to upholding the highest ethical standards and ensuring our customers are able to continuously secure their web applications.”