Increased Iranian cyber attacks targeting key American infrastructure sectors

Increased Iranian cyber attacks targeting key American infrastructure sectors

In a series of cyberattacks, threat actors linked to Iran have been targeting critical infrastructure industries, primarily in the United States and allied countries. These attacks exploit vulnerabilities in Industrial Control Systems (ICS) and Operational Technology (OT) used within these sectors, causing potential disruptions and risks of sabotage.

One of the most significant vulnerabilities exploited is the Palo Alto Networks command injection vulnerability (CVE-2024-3400), with a maximum severity of 10. This vulnerability could allow an unauthenticated attacker to execute arbitrary code with root privileges. Federal officials have reported that threat actors have been scanning for IP addresses hosting Palo Alto Networks PAN-OS or GlobalProtect VPN devices, likely involving this vulnerability.

Another vulnerability targeted is the Check Point Security Gateway (CVE-2024-24919). Researchers have noted that only about half of the vulnerable assets have been properly remediated. Pioneer Kitten, a threat group known for its collaboration with high-profile ransomware actors, has been seen scanning IP addresses for these gateways.

The attacks have primarily targeted industries such as water and wastewater utilities, energy and utilities (including oil, gas, electric grids, and pipelines), healthcare, transportation, manufacturing, defense industrial base, and supply chains.

These Iranian threat groups tend to conduct cyber espionage and disruptive activities motivated by a combination of financial gain and ideological purposes. Their operations have intensified, especially coinciding with geopolitical tensions related to Israel and the U.S.

The groups involved in these attacks include CyberAv3ngers, MuddyWater, APT33, OilRig, FoxKitten, Homeland Justice, and Pioneer Kitten. These groups have been observed manipulating system logic, exploiting outdated software, insecure remote access points, and credential security gaps to cause disruptions.

Phishing campaigns and exploitation of exposed ICS infrastructure enabling unauthorized access to OT environments are also common tactics used by these groups. Targeting of manufacturing and transportation companies has significantly increased, with these groups focusing on U.S. organizations in these sectors.

In a joint warning, the FBI, Cybersecurity and Infrastructure Security Agency, and the Department of Defense Cyber Crime Center have issued a warning about Iran collaborating with ransomware groups to attack key industries. They have also highlighted that patching these vulnerabilities often involves complex processes, potential downtime, and risk of disrupting critical services.

Tickler, a new backdoor deployed by the Peach Sandstorm threat actor, linked to Iran's Islamic Revolutionary Guard Corps, is being used to attack federal and state governments, oil and gas, satellite and communications sectors in the U.S. and United Arab Emirates. Peach Sandstorm is also conducting password-spray attacks against the education sector, as well as satellite, defense, and government sectors.

CISA officials have declined to comment on the Iran-linked threat activity beyond what was issued in the advisory. Microsoft researchers have identified Peach Sandstorm's activities as separate from the hacking outlined in previous warnings from CISA and the FBI.

State-linked actors have previously targeted vulnerabilities linked to Citrix NetScaler and F5 Big-IP devices. As the threat landscape evolves, it is crucial for organizations to stay vigilant and ensure their systems are secure against these types of attacks.

[1] Cybersecurity Dive [2] CyberScoop [3] SecurityWeek [4] Help Net Security [5] Dark Reading

1. The cyberattacks, attributed to Iran, have exposed a significant Palo Alto Networks command injection vulnerability (CVE-2024-3400), potentially enabling unauthenticated attackers to execute arbitrary code with root privileges.
2. Phishing campaigns and exploitation of exposed Industrial Control Systems (ICS) infrastructure are common tactics used by Iranian threat groups like Pioneer Kitten, with a focus on disrupting water and wastewater utilities, energy and utilities, healthcare, transportation, manufacturing, defense industrial base, and supply chains.
3. Cybersecurity experts warn that patching vulnerabilities often requires complex processes, potential downtime, and risks to critical services, emphasizing the importance of vigilance and secure systems against state-linked attacks such as those from Iran.
4. State-linked actors like Peach Sandstorm, connected to Iran's Islamic Revolutionary Guard Corps, have been identified using a new backdoor, Tickler, to attack federal and state governments, oil and gas sectors, satellite and communication industries, as well as conducting password-spray attacks against the education sector.
5. General-news sources like Cybersecurity Dive, CyberScoop, SecurityWeek, Help Net Security, and Dark Reading have extensively covered the surge in Iranian cyber threats targeting critical infrastructure across the United States, United Arab Emirates, and allied countries, with a focus on cyber espionage and disruptive activities driven by financial gain and ideological motives, often coinciding with political tensions.

Read also: