The US Federal Bureau of Investigation (FBI) has released a warning outlining the TTP (tactics, techniques, and protocols) of Iran-based Emennet Pasargad, reportedly a cybersecurity and intelligence firm servicing Iranian government agencies, to help recipients inform and defend themselves against the group’s malicious activities.
In the FBI’s Private Industry Notification, the agency confirms that two Iranian nationals employed by Emennet were charged with cyberintrusion and fraud, voter intimidation, interstate threats, and conspiracy by the US Department of Justice.
Additionally, the Department of Treasury Office of Foreign Assets Control alleges that Emennet, along with the two accused Iranian nationals, attempted to influence the 2020 US presidential elections.
The notification pointed out that Emennet ran an interference campaign in the election, obtaining confidential voter information from state election websites, sending intimidating emails to voters, crafting and distributing misinformation videos about voting vulnerabilities, and hacking into media companies’ computer networks. During the campaign, the bad actors masqueraded as members of the Proud Boys, an American far-right, neofascist, and exclusively male organization.
“This interference campaign digs to the very sanctity of American democracy as these actors intentionally posed as racist extremists to threaten and intimidate people,” says Liz Miller, an analyst at Constellation Research. “This is when cyberattacks are really just the ammunition of choice in a far more dangerous game.”
Emennet has also been linked to previous cyberintelligence and hacking operations, mostly using false-flag personas like “Yemen Cyber Army” in 2018.
FBI describes cyberintelligence, hacking tactics
A tactic Emennet has been known for is conducting reconnaissance on potential targets, then working to identify any entry points including vulnerable software or systems, according to the notice. This is generally done by first conducting a random web search like “top American news site” and then scanning the resulting websites’ network assets for vulnerabilities.
The FBI’s PIN, issued last week, lists the most common and recent CVEs (common vulnerabilities and exposures) Emennet has been found to exploit, which include:
- CVE-2019-0232: A Windows-specific command-line argument vulnerability in the CGI Servlet of Apache Tomcat ( versions 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93) that allows RCE (remote code execution).
- CVE 2019-9546: This vulnerability allows privilege escalation through the RabbitMQ service on SolarWinds Orion Platform before 2018.
- CVE-2018-1000001: A confusion vulnerability in the usage of getcwd() by realpath() in glibc 2.26 and earlier that could allow potential code execution.
- CVE-2018-7600: allows arbitrary code execution by attackers due to a default module configuration of Drupal (in 7x,8.3x,8.4x and 8.5x before 7.58, 8.3.9, 8.4.6, and 8.5.1 respectively).
- CVE-2017-5963: allows arbitrary HTML and script code execution in caddy before 7.2.10 due to a vulnerability arising from insufficient filtration of user-supplied data.
Each one of these vulnerabilities has been patched in subsequent updates by the providers.
“Although not essentially a more significant threat than the others out there, the fact that Emennet exploits ‘fairly common’ systems and applications like WordPress, Drupal, Apache Tomcat, is exactly why the private industry should sit up and take notice,” says Miller. “Commonplaces are easily overlooked.”
Emennet’s use of open-source tools like web pages running PHP code or pages with externally accessible MySQL databases provide a solid insight for the private sector into attack techniques and vulnerable networks and systems, according to Miller.
To obfuscate their tracks, Emennet is believed to use VPN services like TorGuard, CyberGhost, NordVPN, and Private Internet Access.
The group, additionally, demonstrated interest in leveraging bulk SMS services for their mass-dissemination propaganda. The FBI added that Emennet poses a broad cybersecurity threat with possible exploitation activities spanning several sectors including news, shipping, travel (hotels and airlines), power, and telecommunications.
Recommendations include basics like firewalls, patching
The FBI recommends enabling and updating antimalware and antivirus software, adopting effective threat detection services at the network, device, operating system, application, and email service levels, and considering reputable hosting and CMS (content management system) services for configuring external-facing applications, in addition to identifying and patching the mentioned CVEs.
Employing a Web application firewall (WAF) and exercising CMS restrictions like disabling remote file editing, file execution to specific directories, and limiting login attempts, are also advised as a few basic-level precautions.
“Reports issued by federal agencies, especially like this notice on attack vectors, bad actor behaviors, and TTP patterns is yet another critical layer of intelligence and information that everyone involved in security should access and include in their information gathering,” says Miller. “Other than the most obvious and basic recommendations provided in the notice, CISOs must make a note of all the critical CVEs identified in the document”.