SafeBreach Hacker's Playbook Updated for US-CERT Alert (AA20-259A) Iran-Based Threat Actor Exploits VPN Vulnerabilities



SafeBreach Labs has updated the Hacker's Playbook™ with new attack methods for malware samples described in US-CERT Iran-Based Threat Actor Exploits VPN Vulnerabilities, which addresses yet another serious threat group leveraging known VPN vulnerabilities. CISA also issued US-CERT Alert AA20-258A identifying the Chinese Ministry of State Security-affiliated threat actors using similar techniques exploiting the same vulnerabilities. Read more in the US-CERT Alert AA20-258A Blog.

52 newly developed playbook methods related to AA20-259A:

  • #5436 - Transfer of ar20-259a_webshell_1 malware over HTTP/S (Lateral Movement)
  • #5435 - Write ar20-259a_webshell_1 malware to disk (Host-Level)
  • #5437 - Transfer of ar20-259a_webshell_1 malware over HTTP/S (Infiltration)
  • #5438 - Email ar20-259a_webshell_1 malware as a ZIP attachment (Lateral Movement)
  • #5439 - Email ar20-259a_webshell_1 malware as a ZIP attachment (Infiltration)
  • #5440 - Write ar20-259a_webshell_2 malware to disk (Host-Level)
  • #5441 - Transfer of ar20-259a_webshell_2 malware over HTTP/S (Lateral Movement)
  • #5442 - Transfer of ar20-259a_webshell_2 malware over HTTP/S (Infiltration)
  • #5443 - Email ar20-259a_webshell_2 malware as a ZIP attachment (Lateral Movement)
  • #5444 - Email ar20-259a_webshell_2 malware as a ZIP attachment (Infiltration)
  • #5445 - Write ar20-259a_webshell_3 malware to disk (Host-Level)
  • #5446 - Transfer of ar20-259a_webshell_3 malware over HTTP/S (Lateral Movement)
  • #5447 - Transfer of ar20-259a_webshell_3 malware over HTTP/S (Infiltration)
  • #5448 - Email ar20-259a_webshell_3 malware as a ZIP attachment (Lateral Movement)
  • #5449 - Email ar20-259a_webshell_3 malware as a ZIP attachment (Infiltration)
  • #5450 - Write ar20-259a_keethief_powershell malware to disk (Host-Level)
  • #5451 - Transfer of ar20-259a_keethief_powershell malware over HTTP/S (Lateral Movement)
  • #5452 - Transfer of ar20-259a_keethief_powershell malware over HTTP/S (Infiltration)
  • #5453 - Email ar20-259a_keethief_powershell malware as a ZIP attachment (Lateral Movement)
  • #5454 - Email ar20-259a_keethief_powershell malware as a ZIP attachment (Infiltration)
  • #5455 - Pre-execution phase of ar20-259a_keethief_exe malware (Host-Level)
  • #5456 - Write ar20-259a_keethief_exe malware to disk (Host-Level)
  • #5457 - Transfer of ar20-259a_keethief_exe malware over HTTP/S (Lateral Movement)
  • #5458 - Transfer of ar20-259a_keethief_exe malware over HTTP/S (Infiltration)
  • #5459 - Email ar20-259a_keethief_exe malware as a ZIP attachment (Lateral Movement)
  • #5460 - Email ar20-259a_keethief_exe malware as a ZIP attachment (Infiltration)
  • #5461 - Pre-execution phase of ar20-259a_chisel malware (Host-Level)
  • #5462 - Write ar20-259a_chisel malware to disk (Host-Level)
  • #5463 - Transfer of ar20-259a_chisel malware over HTTP/S (Lateral Movement)
  • #5464 - Transfer of ar20-259a_chisel malware over HTTP/S (Infiltration)
  • #5465 - Email ar20-259a_chisel malware as a ZIP attachment (Lateral Movement)
  • #5466 - Email ar20-259a_chisel malware as a ZIP attachment (Infiltration)
  • #5467 - Pre-execution phase of ar20-259a_angry_ip_scanner malware (Host-Level)
  • #5468 - Write ar20-259a_angry_ip_scanner malware to disk (Host-Level)
  • #5469 - Transfer of ar20-259a_angry_ip_scanner malware over HTTP/S (Lateral Movement)
  • #5470 - Transfer of ar20-259a_angry_ip_scanner malware over HTTP/S (Infiltration)
  • #5471 - Email ar20-259a_angry_ip_scanner malware as a ZIP attachment (Lateral Movement)
  • #5472 - Email ar20-259a_angry_ip_scanner malware as a ZIP attachment (Infiltration)
  • #5473 - Pre-execution phase of ar20-259a_nmap malware (Host-Level)
  • #5474 - Write ar20-259a_nmap malware to disk (Host-Level)
  • #5475 - Transfer of ar20-259a_nmap malware over HTTP/S (Lateral Movement)
  • #5476 - Transfer of ar20-259a_nmap malware over HTTP/S (Infiltration)
  • #5477 - Email ar20-259a_nmap malware as a ZIP attachment (Lateral Movement)
  • #5478 - Email ar20-259a_nmap malware as a ZIP attachment (Infiltration)
  • #5479 - Write ar20-259a_drupwn malware to disk (Host-Level)
  • #5480 - Transfer of ar20-259a_drupwn malware over HTTP/S (Lateral Movement)
  • #5481 - Transfer of ar20-259a_drupwn malware over HTTP/S (Infiltration)
  • #5482 - Email ar20-259a_drupwn malware as a ZIP attachment (Lateral Movement)
  • #5483 - Email ar20-259a_drupwn malware as a ZIP attachment (Infiltration)
  • #5484 - Communication with ar20-259a_tiny_web_shell using HTTP
  • #5485 - Communication with ar20-259a_chunky_tuna using HTTP
  • #5486 - Communication with ar20-259a_Chisel using HTTP

Gain insight into vulnerabilities that are exploitable

Prioritizing vulnerabilities is a challenge most organizations struggle with because there are far too many vulnerabilities that are classified as high-priority. Adopting a Risk-Based Vulnerability Management to gain data-driven insights into which vulnerabilities are actually exploitable in your environment is critical. Correctly identifying which high-priority vulnerabilities truly constitute risk enables security teams to ensure they are all mitigated, so a company will not suffer damage from these attacks.

Learn More about SafeBreach Risk-Based Vulnerability Management

What you should do now

The new attack methods for US-CERT AA20-259A are already in the SafeBreach Hacker’s Playbook and ready to be run across your simulators. The Known Attack Series report is being updated so you can run the specific attacks from this US-CERT alert. From the Known Attack Series report, select the US-CERT Alert AA20-259A (Iran-Based Threat Actor) report and select Run Simulations which will run all the attack methods.

AA20-259A.png

Related Posts