Iranian threat actors attempt to buy stolen data of US organizations, FBI warns

The FBI warned private industry partners of attempts by an Iranian threat actor to buy stolen information belonging to US organizations.

The Federal Bureau of Investigation (FBI) issued a private industry notification (PIN) to warn private industry partners that Iran-linked threat actors are attempting to buy stolen information belonging to US businesses and organizations abroad.

Iranian nation-state actors are attempting to buy info available for sale in the cybercrime underground to launch attacks against US organizations.

US organizations whose data was stolen and leaked online in the past are at risk of cyber attacks that are orchestrated by an unnamed Iran-linked threat actor. US authorities fear an attack against operators in critical industries, this threat actors appear interested in obtaining access to SCADA systems to disrupt the process of the target organizations.

“The actor has demonstrated interest in leaked data sets in various locations, including web forums and the dark web. The FBI judges this actor may attempt to leverage information in these leaked data sets, such as network information and email correspondence, to conduct their own cyber operations against US organizations.FBI Private Industry Notification 20211108-001.” reads an excerpt from the alert shared by TheRecord. “This actor has also demonstrated interest in obtaining unauthorized access to SCADA systems using common default passwords.”

The FBI urges organizations that suffered a security breach in the past to reset passwords, enhance the security of systems exposed online and warn their employees.

The FBI also released information about tactics, techniques, and procedures (TTPs) associated with the Iranian threat actor such as the use of auto-exploiter tools to set up a network of compromised WordPress sites for possible use as an RDP-scanning botnet, or to enable webshell access to targeted organizations. Attackers also use to exploit the Kentico Content Management System (CVE-2019-10068) and used SQLmap to bypass Web Application Firewalls. 

Government experts also attempt to enable Remote Desktop Protocol (RDP) on victim machines or to bruteforce existing RDP accesses.

The threat actors also heavily leverage VPNs services such as Private Internet Access, Atlas VPN, TiKNet VPN, VPN Master Lite, and CyberGhost.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Iran)

[adrotate banner=”5″]

[adrotate banner=”13″]