{"id":13192,"date":"2020-09-24T09:15:00","date_gmt":"2020-09-24T13:15:00","guid":{"rendered":"https:\/\/www.thesslstore.com\/blog\/?p=13192"},"modified":"2023-04-10T15:24:55","modified_gmt":"2023-04-10T19:24:55","slug":"what-to-take-away-from-irans-global-malware-campaign","status":"publish","type":"post","link":"https:\/\/www.thesslstore.com\/blog\/what-to-take-away-from-irans-global-malware-campaign\/","title":{"rendered":"What to Take Away from Iran\u2019s Global Malware Campaign"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\" id=\"h-the-fbi-recently-disclosed-that-iran-s-intelligence-agency-has-been-using-nation-state-actors-a-front-company-to-carry-out-a-years-long-global-malware-campaign-here-s-what-was-involved-and-what-we-took-away-from-the-situation\">The FBI recently disclosed that Iran\u2019s intelligence agency has been using nation-state actors &amp; a front company to carry out a years-long global malware campaign \u2014 here\u2019s what was involved and what we took away from the situation\u2026<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">On Sept. 17, the <a rel=\"noreferrer noopener\" href=\"https:\/\/www.fbi.gov\/contact-us\/field-offices\/boston\/news\/press-releases\/fbi-releases-cybersecurity-advisory-on-previously-undisclosed-iranian-malware-used-to-monitor-dissidents-and-travel-and-telecommunications-companies\" target=\"_blank\">FBI released a cybersecurity advisory<\/a> about eight previously undisclosed sets of malware that are tied to Iran\u2019s Ministry of Intelligence and Security (MOIS). The intelligence agency used them to monitor Iranian citizens, journalists, former government employees and dissidents (among others), as well as international companies in the academic, telecommunications, hospitality and travel sectors. This includes travel companies in the U.S. that have records of millions of travelers.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The attacks, which the FBI estimates has cost \u201cmillions of dollars\u201d to U.S. and international companies, have been ongoing for years. (The FBI\u2019s Boston office media representative told me that they couldn\u2019t disclose specifically for how long the malware campaign was running or how much the damages totaled more specifically when I reached out for comment.) As part of their effort to thwart MOIS\u2019s campaign capabilities, the FBI\u2019s Internet Crime Complaint Center (IC<sup>3<\/sup>) also <a href=\"https:\/\/www.ic3.gov\/media\/news\/2020\/200917-2.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">released an alert<\/a> that showcases some screenshots of the codes that were used.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">So, what exactly was involved with these malware-based attacks? And what are the key takeaways from this incident that we can learn from?<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Let\u2019s hash it out.<span id=\"newline\"><\/span><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-what-occurred-and-who-was-affected-by-the-malware-campaign\">What Occurred and Who Was Affected by the Malware Campaign<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">According to the FBI, MOIS has been targeting Iranian citizens, journalists, businesses and others both domestic and abroad. The used a front company called the Rana Intelligence Computing Company (Rana), as well as nation-state actors known publicly as Advanced Persistent Threat 39 (APT 39), which also were known by a few other names including Cadelspy, Chafer, ITG07, and Remexi.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">There were also <a href=\"https:\/\/home.treasury.gov\/policy-issues\/financial-sanctions\/recent-actions\/20200917\" target=\"_blank\" rel=\"noreferrer noopener\">45 other individuals<\/a> that the U.S. Department of Treasury\u2019s Office of Foreign Assets Control (OFAC) <a href=\"https:\/\/home.treasury.gov\/news\/press-releases\/sm1127\" target=\"_blank\" rel=\"noreferrer noopener\">imposed sanctions<\/a> against for being linked to Iran\u2019s MOIS on Sept. 17.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Their goal? In a nutshell, they used their vast resources to target, monitor, harass, repress and exploit anyone that they identified as a threat to the establishment. This includes:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Iranian citizens, journalists and dissidents,<\/li>\n\n\n\n<li>University students and faculty,<\/li>\n\n\n\n<li>Foreign government networks in nearby countries,<\/li>\n\n\n\n<li>\u201cHundreds of individuals and entities from more than 30 different countries across Asia, Africa, Europe, and North America,\u201d and<\/li>\n\n\n\n<li>International and domestic entities in the academic, telecommunications, hospitality and travel sectors (including 15 or more U.S.-based travel organizations).<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Basically, this malware campaign has affected a lot of people that the FBI knows of at this point. When MOIS operative caught up with some of the individuals they were monitoring, those targets were often arrested or subject to physical and psychological intimidation.<\/p>\n\n\n<span style=\"--tl-form-height-m:140.667px;--tl-form-height-t:118.1042px;--tl-form-height-d:118.1042px;\" class=\"tl-placeholder-f-type-shortcode_12779 tl-preload-form\"><span><\/span><\/span>\n\n\n<h2 class=\"wp-block-heading\" id=\"h-how-to-know-whether-your-business-is-compromised\">How to Know Whether Your Business Is Compromised<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The FBI stated in their advisory that affected businesses and individuals have been notified. However, the FBI\u2019s Internet Crime Complaint Center (IC<sup>3<\/sup>) also released their own alert (alert number <a href=\"https:\/\/www.ic3.gov\/media\/news\/2020\/200917-2.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">ME-000134-MW<\/a>) that shares the \u201cIndicators of Compromise\u201d that are associated with the Rana Intelligence Computing and its other aliases. The IC<sup>3<\/sup>\u2019s goal is to help cybersec pros and sys admins to protect themselves against these types of malicious activities.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">According to the FBI\u2019s cybersecurity advisory:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\"><em>\u201cUntil now, most of these technical indicators have never been publicly discussed, nor attributed to the MOIS by the U.S. government. It is anticipated that by making this malicious code public, it will deal a significant blow to the MOIS and mitigate the ongoing victimization of thousands of individuals and organizations around the world, while also imposing risk and consequences on our cyber adversaries.\u201d<\/em><\/p>\n<\/blockquote>\n\n\n\n<p class=\"wp-block-paragraph\">The 26-page resource includes a wealth of information relating to the malicious intrusion tools that the attackers used to carry out their mission. It contains information relating to the eight sets of malware that the FBI was able to identify, as well as YARA rules you can employ to detect these malicious files:<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"756\" height=\"865\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/09\/fbi-malware-samples-iran-mois.png\" alt=\"A screenshot from the FBI IC3 Alert that lists the 8 types of malware\" class=\"wp-image-13193 addshadow\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/09\/fbi-malware-samples-iran-mois.png 756w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/09\/fbi-malware-samples-iran-mois-262x300.png 262w\" sizes=\"auto, (max-width: 756px) 100vw, 756px\" \/><figcaption>Screenshot source: FBI Internet Crime Complaint Center Alert Number ME-000134-MW<\/figcaption><\/figure><\/div>\n\n\n\n<p class=\"wp-block-paragraph\">Let\u2019s take a few moments to explore each of these types of malware a little more in depth.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-1-visual-basic-script-vbs-malware\">1. Visual Basic Script (VBS) Malware<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">The IC<sup>3<\/sup>\u2019s alert says that the malware, which was embedded in seemingly innocuous Office files, launched scripts that would create files and run commands that would result in the victims\u2019 files being uploaded to attacker-controlled IP addresses.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">But how was this malware employed? According to the IC3\u2019s alert:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\"><em>\u201cThe VBS malware was embedded in Microsoft Office documents and sent to victims via spear phishing or other social engineering techniques.\u201d<\/em><\/p>\n<\/blockquote>\n\n\n\n<p class=\"wp-block-paragraph\">To identify files that indicate the presence of this malware, the FBI published a list of indicators of compromise (IOC) signatures and also created YARA rules that you can implement. For example, here\u2019s the YARA rule that they created for the VBS malware:<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"388\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/09\/vbs-malware-yara-rule-1024x388.png\" alt=\"A screenshot of the VBS YARA rules  released by the FBI IC3 team\" class=\"wp-image-13194 addshadow\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/09\/vbs-malware-yara-rule-1024x388.png 1024w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/09\/vbs-malware-yara-rule-300x114.png 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/09\/vbs-malware-yara-rule-768x291.png 768w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/09\/vbs-malware-yara-rule.png 1299w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption>Screenshot source: FBI Internet Crime Complaint Center Alert Number ME-000134-MW<\/figcaption><\/figure><\/div>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-2-autoit-malware-scripts\">2. AutoIT Malware Scripts<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">This type of malware causes a script to execute that results in the creation of two new directories and PowerShell commands to run specific files. The PowerShell commands involved also are thought to allow the attackers to upload or download commands and files.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The FBI determined that AutoIT malware and VBS malware are technically very similar in terms of functionality. And also like the aforementioned VBS malware, the AudtoIT malware was also spread via <a href=\"https:\/\/www.thesslstore.com\/blog\/gone-phishing\/\">phishing<\/a> and <a href=\"https:\/\/www.thesslstore.com\/blog\/social-engineering-attacks-a-look-at-social-engineering-examples-in-action\/\">social engineering<\/a> tactics.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The FBI published IOCs and created multiple YARA rules for the AutoIT malware set as well as the rest of the malware variants that follow. To view the full list of YARA rule screenshots, check out the <a href=\"https:\/\/www.ic3.gov\/media\/news\/2020\/200917-2.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">IC<sup>3<\/sup> alert resource<\/a>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-3-bits-1-0\">3. BITS 1.0<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">According to the IC<sup>3<\/sup> alert, this type of malware is thought to work in conjunction with the previous two sets of malware. It would use those malware variants to download the BITS 1.0 malware from attacker-controlled IT systems, which would then be used to collect data from the victims through key logging, screen captures, and other methods. The stolen data would be encrypted and password protected before being sent via the Microsoft BITS protocol back to the attackers systems.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The malware involves the use of multiple executable files, including (but not limited to) Birds.exe and Splitter.exe.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">You can view the full list of IOCs and YARA rule screenshots for this malware in the FBI\u2019s IC<sup>3<\/sup> alert.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-4-bits-2-0-malware\">4. BITS 2.0 Malware<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Basically, BITS 2.0 is a separate variant of the BITS 1.0 malware \u2014 even using similar communication channels and techniques. However, there are \u201csignificant changes in technical details\u201d that differentiates this from its sister malware that the report points out.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">For one, BITS 2.0 is self-extracting and contains \u201can image, an icon, a VBS script, and an executable.\u201d There was also an observed instance of the malware that contained two additional files. The events.exe file basically has the combined capabilities of the Events.exe and Splitter.exe executables of the BITS 1.0 malware. For example, it could:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Allow the attackers to search for, upload and download files on the targets\u2019 devices.<\/li>\n\n\n\n<li>Execute command line operations of the victims\u2019 machines.<\/li>\n\n\n\n<li>Collect and capture a variety of data using keylogging, screenshots, and clipboard data.<\/li>\n\n\n\n<li>Turn off legitimate BITSADMIN processes.<\/li>\n\n\n\n<li>Bundle and transmit encrypted data for exfiltration to the attacker-controlled command-and-control (C2) server.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">To view the full list of IOCs and the YARA rule screenshots for the BITS 2.0 malware, check out the IC3 alert.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-5-mozilla-firefox-mimicking-malware\">5. Mozilla Firefox-Mimicking Malware<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">This type of malware that the federal investigators identified is a wolf in sheep\u2019s clothing. Basically, this variant, simply labeled \u201c1.exe,\u201d would disguise itself as a legitimate Mozilla Firefox files, including:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Multiple .dll files<\/li>\n\n\n\n<li>Multiple executables including MozillaFirefox.exe, CrachReport.exe, SafeBrowser.exe, and MozillaUpdate.exe.<\/li>\n\n\n\n<li>Two VBS files, which would create shell commands to run binary for two of the executables.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">The IC<sup>3<\/sup> report didn\u2019t disclose how the malware was delivered or wound up being downloaded by the targets. However, there are many ways that the malware could have been delivered \u2014 too many to go through here individually. A few of the possibilities we think could include using remote access tools, having direct access to install the malware, or by emailing a link to a fraudulent website where legitimate users could download the files.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">You can view the full list of FBI\u2019s IOCs and YARA rule for this malware in the IC3 alert.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-6-python-based-malware\">6. Python-based Malware<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">According to the IC<sup>3<\/sup> release, this malware variant was typically contained within a .rar file along with a script named ma.py. Furthermore:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\"><em>\u201cWhen run, the file conducted a HTTP GET request to a command and control server conforming to [Actor IP]\/service.html. This GET request then downloaded additional malicious files to the victim machine. The file directed additional files from the command and control server to be written out as:<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em>C:\\\\Windows\\\\Temp\\\\ImageVeiwer.exe. The file also directed ImageVeiwer.exe to be run at system reboot.\u201d<\/em><\/p>\n<\/blockquote>\n\n\n\n<p class=\"wp-block-paragraph\">To view the full list of YARA rule screenshots that the FBI created, please refer to the IC3 alert.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-7-android-malware\">7. Android Malware<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">As a type of malware specifically designed to target android devices using an android package kit (APK). Although we don\u2019t know for sure when the malware was deployed, there may be a bit of a clue in the malware metadata certificate information. The certificate was listed as being valid from Dec. 23, 2018 to Sept. 25, 2019.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The malware gave Iranian intelligence remote access and data-stealing capabilities without the users\u2019 knowledge so that they could:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Retrieve HTTP GET requests from the C2 server for the domain saveingone.com.<\/strong> This domain previously resolved to an Iran-based IP address. This type of server issues updates or commands for affected devices.<\/li>\n\n\n\n<li><strong>Steal data from the compromised devices<\/strong>. If you\u2019re wondering just how bad that can be, just remember how many people use their mobile devices for just about everything now. <strong>&nbsp;&nbsp;<\/strong><\/li>\n\n\n\n<li><strong>Compress and AES-encrypt the collected data.<\/strong><\/li>\n\n\n\n<li><strong>Forward data via HTTP POST requests to the attacker-controlled C2 server<\/strong>.<\/li>\n\n\n\n<li><strong>Record audio and video via the targets\u2019 devices<\/strong>.The APK gave the attackers permissions to use the microphone and camera for surveillance on compromised devices to record audio and take photos.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">You can view the full list of YARA rule screenshots that the FBI created in the IC3 alert.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-8-depot-dat-malware-and-dropper\">8. Depot.dat Malware and Dropper<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">This type of malware, which comprised an encrypted MS CAB file (depot.dat) and a dropper, enabled the MOIS attackers to do the following and send the resulting data back to RANA-controlled IT infrastructure:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Capture keylogger information,<\/li>\n\n\n\n<li>Collect screenshots of the victims\u2019 devices, and<\/li>\n\n\n\n<li>Collect a variety of other data.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">The dropper, which decrypts the encrypted depot.dat file, \u201cestablishes persistence\u201d for the malware. The CAB file contains four separate files that enabled the malware to carry out the malware\u2019s data collection, packaging, and exfiltration functions.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">You can view the full list of the FBI\u2019s IOCs and YARA rule screenshots in the IC3 alert.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-a-few-takeaways-from-this-situation\">A Few Takeaways From This Situation\u2026<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">This threat is one that has affected individuals, businesses, governments and other organizations on a global scale. But if you think that Iran is the only government in the world that spies on its citizens, neighbors and other entities of interest, then I\u2019ve got a bridge (or two) to sell you.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">No, the FBI\u2019s recent announcement about Iran\u2019s MOIS isn\u2019t the first time a government or group of nation-state actors has been caught spying on others \u2014 nor is it likely to be the last. We\u2019ve seen plenty of examples of government spying programs in recent years:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The U.S.\u2019s <a href=\"https:\/\/www.reuters.com\/article\/us-usa-nsa-spying\/u-s-court-mass-surveillance-program-exposed-by-snowden-was-illegal-idUSKBN25T3CK\" target=\"_blank\" rel=\"noreferrer noopener\">National Security Agency (NSA) spied on U.S. citizens<\/a> in illegal mass surveillance program.<\/li>\n\n\n\n<li>The U.K.\u2019s Government Communication Headquarters <a href=\"https:\/\/www.amnesty.org\/en\/latest\/campaigns\/2015\/03\/10-spy-programmes-with-silly-codenames-used-by-gchq-and-nsa\/\" target=\"_blank\" rel=\"noreferrer noopener\">(GCHQ) surveillance programs<\/a> such as Tempora and The Three Smurfs.<\/li>\n\n\n\n<li>U.S. and German intelligence <a href=\"https:\/\/www.bbc.com\/news\/world-europe-51487856\">used a Swiss encryption company as a cover for surveillance<\/a> via their products that were used around the world.<\/li>\n\n\n\n<li>Many <a href=\"https:\/\/threatpost.com\/nation-backed-apts-covid-19-spy-attacks\/155082\/\" target=\"_blank\" rel=\"noreferrer noopener\">nation-state actors used the COVID-19 pandemic<\/a> to cover for various espionage activities.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Although there are some key pieces of information that we don\u2019t know about the Iran malware situation, let\u2019s consider what we do know. There are a few critical takeaways that extend beyond this situation and speak to the importance of securing data for businesses and other organizations in general.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-telecommunications-companies-are-among-chief-targets-for-cybercriminals\">Telecommunications Companies Are Among Chief Targets for Cybercriminals<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">In the case of the MOIS malware campaign, the FBI shared that telecommunication companies were among the targeted organizations. This isn\u2019t very surprising considering that telecoms companies make excellent targets for government surveillance and nation-state actors alike. After all, they provide critical communications infrastructure and are trusted with transmitting and storing tons of sensitive data.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Telecommunications companies typically includes internet service providers (ISPs). And if an ISP, for example, becomes compromised, it gives attackers access to all of the data that flow through them. This leaves them with big targets painted on their backs.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Internet service providers aren\u2019t infallible and can become compromised through different means. A few examples include bad guys:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Teaming up with malicious insiders (rogue employees),<\/li>\n\n\n\n<li>Targeting and blackmailing employees via social engineering or phishing attacks, or by<\/li>\n\n\n\n<li>Exploiting unpatched or zero-day vulnerabilities.<\/li>\n<\/ul>\n\n\n<span style=\"--tl-form-height-m:966.781px;--tl-form-height-t:989px;--tl-form-height-d:989px;\" class=\"tl-placeholder-f-type-shortcode_12768 tl-preload-form\"><span><\/span><\/span>\n\n\n<h3 class=\"wp-block-heading\" id=\"h-nation-state-actors-can-use-these-isps-to-monitor-or-steal-your-data\">Nation-State Actors Can Use These ISPs to Monitor or Steal Your Data<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Now, nation-state actors \u2014 Iranian or otherwise \u2014 could infiltrate those companies to gain access to their networks and data. They can then use their access to monitor and steal valuable data that flows through their systems. And this is why it\u2019s so important that all organizations and other entities take the necessary steps to secure their data and communication channels.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">After all, when data travels across the internet, it traverses through potentially dozens of different touch points \u2014 modems, routers, networks, servers, etc. That\u2019s a lot of potentially insecure places where bad guys could try to intercept it. We\u2019ll cover more about how this data transmission process works next week (be sure to check back for that one). In the meantime, what does this all mean?<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">So, as your data travels from one system to the next to the next, it\u2019s going through a lot of different (and potentially vulnerable) touchpoints. And if that information is transmitted using the insecure HTTP protocol, then that information is sent in plaintext. This means that if your ISP is compromised by government or nation-state attackers (or any other threat actors), any of your data that transmits through that ISP is also compromised. So, to protect your data as it zips around the world at outrageous speeds, you need to use encrypted communication channels.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-use-encryption-to-protect-your-data-even-from-compromised-isps\">Use Encryption to Protect Your Data (Even From Compromised ISPs)<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">We\u2019d love to say that if the businesses that were affected by MOIS\u2019s campaign used <a href=\"https:\/\/www.thesslstore.com\/blog\/what-is-pki-a-crash-course-on-public-key-infrastructure-pki\/\">public key infrastructure<\/a> and TLS, that they could have prevented their data from being compromised. But the reality is that there\u2019s no way to tell whether the directly targeted companies could have protected themselves through PKI\/SSL usage. (I even tried asking the FBI contact whether any of the known victims were using any type of data encryption, but she said that they couldn\u2019t disclose that.)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">But we do know one thing for sure\u2014PKI can definitely help protect you if your data is being transmitted by a compromised ISP.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">There are two PKI-related implementations that can be useful in helping to protect your organization\u2019s data. Using the secure HTTPS protocol and <a href=\"https:\/\/www.thesslstore.com\/blog\/what-you-need-to-know-about-s-mime\/\">S\/MIME certificate<\/a>s for end-to-end encryption can help you to ensure that even if your ISP gets compromised, your data won\u2019t be.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-ssl-tls-certificates\">SSL\/TLS Certificates<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">A TLS certificate (sometimes also still referred to as an SSL certificate) enabled HTTPS for your website. HTTPS (among other benefits) protects you against spying via a compromised ISP\u2026<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Since HTTP data exchanges over the internet take place using plain text, basically anyone can read it because the data isn\u2019t encrypted. Without a secure connection to protect the communications, the data transmission could be intercepted by man-in-the-middle (MitM) and altered to include malicious content (such as malware files).<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">TLS certificates enable your website connections to occur via the secure HTTPS protocol instead of the insecure HTTP protocol. This encrypted communication channel prevents eavesdropping and MitM attack from access your plaintext information. Basically, it\u2019ll just look like a bunch of gibberish since they won\u2019t be able to decrypt the information without use of the requisite private key.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-s-mime-certificates-email-signing-certificates\">S\/MIME Certificates (Email Signing Certificates)<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">Email signing certificates make it possible to digitally sign and encrypt your email communications. This makes <a href=\"https:\/\/www.thesslstore.com\/blog\/end-to-end-encryption-the-good-the-bad-and-the-politics\/\">end-to-end encryption<\/a> possible. (Note: While you can send digitally signed documents to anyone, the recipient would also need to have an email signing certificate installed to exchange encrypted email messages.)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">When you use end-to-end encryption to protect your emails, even if any attackers are able to gain access to and download your data, they\u2019d need to have access to the companies\u2019 individual private keys to decrypt and read the data. In other words, without the decryption keys, all the attackers would achieve is capturing a huge amount of data that they can\u2019t use. Those blocks of data are the virtual equivalent of a paperweight. Not exactly useful or profitable for them\u2026<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-follow-cybersecurity-best-practices-to-harden-your-device-and-network-security-defenses\">Follow Cybersecurity Best Practices to Harden Your Device and Network Security Defenses<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Furthermore, as a general rule of thumb, all organizations and businesses should be following cybersecurity best practices for network and device security. There are plenty of valuable web security tools and processes that you can use to monitor and identify malware-related threats. Examples of these processes and solutions include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Implementing access controls to ensure that only those who need access to sensitive data or IT systems have it.<\/li>\n\n\n\n<li>Using signature- and behavior-based antivirus and anti-malware solutions.<\/li>\n\n\n\n<li>Performing regular updates and patching to software, devices and IT systems.<\/li>\n\n\n\n<li>Conducting vulnerability assessments and scans to identify vulnerabilities.<\/li>\n\n\n\n<li>Implementing penetration testing to identify exploits.<\/li>\n\n\n\n<li>Implementing web application firewalls (WAFs).<\/li>\n\n\n\n<li>Employing email filtering to cull suspicious (and potentially malicious) messages<\/li>\n\n\n\n<li>Implement <a href=\"https:\/\/www.thesslstore.com\/blog\/email-security-spf\/\">SPF<\/a>, <a href=\"https:\/\/www.thesslstore.com\/blog\/dkim-domainkeys-identified-mail\/\">DKIM<\/a> and <a href=\"https:\/\/www.thesslstore.com\/blog\/dmarc-reporting-and-email\/\">DMARC<\/a> to prevent people from <a href=\"https:\/\/www.thesslstore.com\/blog\/email-spoofing-101-how-to-avoid-becoming-a-victim\/\">spoofing your domain in phishing and other malicious email communications<\/a>.<\/li>\n\n\n\n<li>Conduct server network analysis.<\/li>\n\n\n\n<li>Perform regular cybersecurity awareness training for all of your employees and users who have access to your network and other systems.<\/li>\n\n\n\n<li>Implementing computer use policies to ensure that users only use organization devices for official purposes and not, say, surfing the internet.<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>The FBI recently disclosed that Iran\u2019s intelligence agency has been using nation-state actors &amp; a front company to carry out a years-long global malware campaign \u2014 here\u2019s what was involved&#8230;<\/p>\n","protected":false},"author":17,"featured_media":13196,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":"","tve_updated_post":"","tve_custom_css":"","tve_user_custom_css":"","tve_globals":{},"tcb2_ready":0,"tcb_editor_enabled":0,"tve_landing_page":"","_tve_header":"","_tve_footer":""},"categories":[16,10200],"tags":[2804,4163],"class_list":["post-13192","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hashing-out-cyber-security","category-monthly-digest","tag-cyber-crime","tag-malware","post-with-tags"],"views":14143,"jetpack_featured_media_url":"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/09\/iran-global-malware-campaign.jpg","_links":{"self":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/13192","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/users\/17"}],"replies":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/comments?post=13192"}],"version-history":[{"count":0,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/13192\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media\/13196"}],"wp:attachment":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media?parent=13192"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/categories?post=13192"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/tags?post=13192"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}