One known tactic is conducting reconnaissance on potential targets, then working to identify entry points including vulnerable software or systems. Credit: StuartMiles99 / Getty Images The US Federal Bureau of Investigation (FBI) has released a warning outlining the TTP (tactics, techniques, and protocols) of Iran-based Emennet Pasargad, reportedly a cybersecurity and intelligence firm servicing Iranian government agencies, to help recipients inform and defend themselves against the group’s malicious activities. In the FBI’s Private Industry Notification, the agency confirms that two Iranian nationals employed by Emennet were charged with cyberintrusion and fraud, voter intimidation, interstate threats, and conspiracy by the US Department of Justice.Additionally, the Department of Treasury Office of Foreign Assets Control alleges that Emennet, along with the two accused Iranian nationals, attempted to influence the 2020 US presidential elections. The notification pointed out that Emennet ran an interference campaign in the election, obtaining confidential voter information from state election websites, sending intimidating emails to voters, crafting and distributing misinformation videos about voting vulnerabilities, and hacking into media companies’ computer networks. During the campaign, the bad actors masqueraded as members of the Proud Boys, an American far-right, neofascist, and exclusively male organization. “This interference campaign digs to the very sanctity of American democracy as these actors intentionally posed as racist extremists to threaten and intimidate people,” says Liz Miller, an analyst at Constellation Research. “This is when cyberattacks are really just the ammunition of choice in a far more dangerous game.”Emennet has also been linked to previous cyberintelligence and hacking operations, mostly using false-flag personas like “Yemen Cyber Army” in 2018. FBI describes cyberintelligence, hacking tacticsA tactic Emennet has been known for is conducting reconnaissance on potential targets, then working to identify any entry points including vulnerable software or systems, according to the notice. This is generally done by first conducting a random web search like “top American news site” and then scanning the resulting websites’ network assets for vulnerabilities. The FBI’s PIN, issued last week, lists the most common and recent CVEs (common vulnerabilities and exposures) Emennet has been found to exploit, which include: CVE-2019-0232: A Windows-specific command-line argument vulnerability in the CGI Servlet of Apache Tomcat ( versions 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93) that allows RCE (remote code execution).CVE 2019-9546: This vulnerability allows privilege escalation through the RabbitMQ service on SolarWinds Orion Platform before 2018.CVE-2018-1000001: A confusion vulnerability in the usage of getcwd() by realpath() in glibc 2.26 and earlier that could allow potential code execution. CVE-2018-7600: allows arbitrary code execution by attackers due to a default module configuration of Drupal (in 7x,8.3x,8.4x and 8.5x before 7.58, 8.3.9, 8.4.6, and 8.5.1 respectively).CVE-2017-5963: allows arbitrary HTML and script code execution in caddy before 7.2.10 due to a vulnerability arising from insufficient filtration of user-supplied data.Each one of these vulnerabilities has been patched in subsequent updates by the providers. “Although not essentially a more significant threat than the others out there, the fact that Emennet exploits ‘fairly common’ systems and applications like WordPress, Drupal, Apache Tomcat, is exactly why the private industry should sit up and take notice,” says Miller. “Commonplaces are easily overlooked.”Emennet’s use of open-source tools like web pages running PHP code or pages with externally accessible MySQL databases provide a solid insight for the private sector into attack techniques and vulnerable networks and systems, according to Miller. To obfuscate their tracks, Emennet is believed to use VPN services like TorGuard, CyberGhost, NordVPN, and Private Internet Access. The group, additionally, demonstrated interest in leveraging bulk SMS services for their mass-dissemination propaganda. The FBI added that Emennet poses a broad cybersecurity threat with possible exploitation activities spanning several sectors including news, shipping, travel (hotels and airlines), power, and telecommunications. Recommendations include basics like firewalls, patchingThe FBI recommends enabling and updating antimalware and antivirus software, adopting effective threat detection services at the network, device, operating system, application, and email service levels, and considering reputable hosting and CMS (content management system) services for configuring external-facing applications, in addition to identifying and patching the mentioned CVEs. Employing a Web application firewall (WAF) and exercising CMS restrictions like disabling remote file editing, file execution to specific directories, and limiting login attempts, are also advised as a few basic-level precautions. “Reports issued by federal agencies, especially like this notice on attack vectors, bad actor behaviors, and TTP patterns is yet another critical layer of intelligence and information that everyone involved in security should access and include in their information gathering,” says Miller. “Other than the most obvious and basic recommendations provided in the notice, CISOs must make a note of all the critical CVEs identified in the document”. Related content news CISA, FBI urge developers to patch path traversal bugs before shipping The advisory highlights how developers can follow best practices to fix these vulnerabilities during production. By Shweta Sharma May 03, 2024 3 mins Vulnerabilities news Microsoft continues to add, shuffle security execs in the wake of security incidents The company has appointed new product security chiefs as well as a customer-facing CISO as it continues to respond to high-profile attacks on its products and own network. By Elizabeth Montalbano May 03, 2024 4 mins CSO and CISO feature Malware explained: How to prevent, detect and recover from it What are the types of malware? How does malware spread? How do you know if you’re infected? We've got answers. By Josh Fruhlinger May 03, 2024 18 mins Ransomware Phishing Malware brandpost Sponsored by Cyber NewsWire LayerX Security Raises $26M for its Browser Security Platform, Enabling Employees to Work Securely from Any Browser, Anywhere Early adoption by Fortune 100 companies worldwide, LayerX already secures more users than any other browser security solution and enables unmatched security, performance and experience By Cyber NewsWire May 02, 2024 4 mins Cyberattacks Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe