Iranian Cyber Actors Facilitating Ransomware Attacks on U.S. Organizations | CISA

MITRE Techniques

• [T1596] Search Open Technical Databases – Iranian cyber actors use Shodan to identify vulnerable internet‑facing devices. ‘Use of Shodan to identify vulnerable devices.’
• [T1190] Exploit Public-Facing Application – They scan and exploit public-facing networking devices (Citrix Netscaler CVEs, F5 BIG-IP CVEs, VPNs, PanOS). ‘Exploitation of Citrix Netscaler, F5 BIG-IP, Pulse Secure/Ivanti VPNs, and PanOS firewalls.’
• [T1133] External Remote Services – Creation of directories on targeted IP addresses to enable access. ‘Creation of directories on targeted IP addresses.’
• [T1505.003] Server Software Component: Web Shell – Deployment of webshells on compromised devices. ‘Deployment of webshells on compromised devices.’
• [T1136.001] Create Account (Local Account) – Creation of local accounts on victim networks. ‘Creation of local accounts on victim networks.’
• [T1098] Account Manipulation – Requesting exemptions to tools for allowlisting or bypassing controls. ‘Request exemptions for tools on victim networks.’
• [T1053] Scheduled Task/Job – Persistence via scheduled tasks and DLL side-loading. ‘Implementation of scheduled tasks for persistence.’
• [T1078.003] Valid Accounts: Local Accounts – Repurposing local credentials to access other apps. ‘Repurposing compromised credentials for access.’
• [T1078.002] Valid Accounts: Domain Accounts – Using admin/domain credentials to log into infrastructure. ‘Repurpose administrative credentials of network administrators to log into domain controllers.’
• [T1562.001] Impair Defenses: Disable or Modify Tools – Disabling antivirus/security software via credential abuse. ‘Disable antivirus and security software.’
• [T1562.010] Impair Defenses: Downgrade Attack – Lowering PowerShell security policies. ‘Lower PowerShell policies to a less secure level.’
• [T1056] Input Capture – Capturing login credentials via webshells. ‘Capture login credentials using webshells on compromised Netscaler devices.’
• [T1059.001] Command and Scripting – PowerShell usage for remote access and execution. ‘Using PowerShell for remote access and command execution.’
• [T1012] Query Registry – Exporting registry hives and configurations. ‘Exporting registry hives and configurations.’
• [T1219] Remote Access Software – Installing AnyDesk for remote access. ‘Installation of AnyDesk for remote access.’
• [T1572] Protocol Tunneling – Ligolo and NGROK used for outbound connections. ‘Ligolo and NGROK for outbound connections.’
• [T1657] Financial Theft – Extortion collaboration with ransomware affiliates. ‘to extort victims’ via ransomware operations.
• [TA0010] Exfiltration – Stealing sensitive data from victims for GOI support. ‘stealing sensitive data from victims.’