Iran cybersecurity attack threat

The U.S. airstrike that hit Iran’s top military leader has increased the threat of retaliation attacks on the U.S., including cybersecurity attacks, according to Homeland Security, which is warning companies to “consider and assess” the possible impacts of cyberattack on their businesses following the heightened tensions with Iran. 

The threat of cyberattacks from Iran is not new. 

In June, the Cybersecurity Infrastructure and Security Agency (CISA) warned companies to improve basic defenses because a cyber strike could be imminent:

“Iranian regime actors and proxies are increasingly using destructive ‘wiper’ attacks, looking to do much more than just steal data and money. These efforts are often enabled through common tactics like spear-phishing, password spraying, and credential stuffing,” the statement says. “What might start as an account compromise, where you think you might just lose data, can quickly become a situation where you’ve lost your whole network.”

So, what are wiper attacks and what is spear-phishing, password spraying and credential stuffing? And, how what can you do to protect your business?

Wiper attacks

A wiper is a type of malware whose intention is to wipe the hard drive of the computer it infects. Unlike ransomware, that holds your company hostage by encrypting your data and demands money for the encryption key, “wipers” simply destroy data. 

What can you do? 

• Test your backup and recovery process and plans. Also, take an inventory of your critical data to make sure that nothing critical is on devices or applications that may not be backed up, like workstations. 
• Patch and update all software and equipment. Wiper attacks, like most malware, exploits computers that are not up to date with the latest updates to known vulnerabilities. 
• Implement detection and response capabilities to quickly identify, contain, and respond to attacks. See Wipfli’s Managed Detection and Response. 

Spear-phishing

This is an email attack that targets organizations or individuals seeking access to unauthorized information. Spear phishing attempts are not typically initiated by random hackers but are more likely to be conducted by perpetrators out for financial gain, trade secrets or military information. 

What can you do?

• Training employees on how to spot well-crafted spear-phishing attempts. 
• Train employees to verify all requests for sensitive information using an out-of-band verification method. Don’t respond to the email. Rather, call the individual requesting information using a known number, text, or face-to-face discussion.
• Flag external emails - To combat those CEO-impersonating emails, one effective tactic is to configure your email system to automatically flag external emails with a large, conspicuous banner at the top that labels the email as coming from an external sender. That way, if the email is supposedly coming from the CEO or another company employee but bears the external banner sender, the recipient knows right away it’s a potentially fraudulent email. We also recommend creating an email rule that flags all emails where the “reply” email address is different from the “from” email address shown.
• Ask your IT department tor service provider to implement anti-spoofing rules that flag email domains that are similar to companies you work with. This would catch @acmeinc.com, @acme_company.com, or any other variations on the legitimate @acme.com email domain. 

Password spraying

Password spraying is an attack that attempts to access a large number of accounts (usernames) with a few commonly used passwords (e.g. Winter2020!, Qwerty, or Password123!). Traditional brute-force attacks attempt to gain unauthorized access to a single account by guessing the password. Attackers use an automated program to guess common passwords and in 45-60-minute intervals to avoid causing account lock-outs.

What can you do?

• Implement multi-factor authentication for accessing all service available through the internet. This includes your Virtual Private Network (VPN), Office 365, and Outlook Web Access.

Credential stuffing

Have you ever received an email from a scammer claiming that they have your user name and password, and the password is one that you have used?  If so, this was likely harvested from one of many data breaches. Because many people re-use the same password for access to a variety of services, hackers can use the compromised credential for login attempts to various sites---including your access to your company!

Credential stuffing is a type of cyberattack where stolen account credentials typically consisting of lists of usernames and/or email addresses and the corresponding passwords are used to gain unauthorized access to user accounts through large-scale automated login requests directed against a web application.

What can you do?

• Implement multi-factor authentication. That way, hackers cannot access your information without a secondary authentication. 
• Train user to never reuse the same password. Consider using a password manager to make this a more manageable process.  

Lastly, we recommend that companies meet with their insurance provider to review the sufficiency and limitations of cyber insurance for your organization and critical vendors, including any “act of war” exclusions. 

Wipfli will continue to monitor this developing situation. If you need assistance with hardening your attack surface and improving your cybersecurity posture, please contact Jeff Olejnik, Wipfli’s cybersecurity services leader or your Wipfli relationship executive.