The FBI Cyber Division issued a flash security alert earlier this month with additional indicators of compromise from recent defacement attacks operated by Iranian threat actors and info on attackers' TTPs to help administrators and users to protect their websites.

The Cybersecurity and Information Security Agency (CISA) also published a reminder on the same day to provide cybersecurity best practices on safeguarding websites from cyberattacks that could lead to defacement or data breaches.

FBI's ML-000115-TT flash alert from January 21 follows a previous flash message Issued on January 10 and detailing "indicators of compromise(IOCs), and tactics, techniques, and procedures (TTPs) associated with the reported pro-Iranian website defacement activity."

Wiz

The FBI recommends individuals and organizations that might potentially be affected by Iranian cyber activity to also review its "Notice on Iranian Cyber Tactics and Techniques" Private Industry Notification (PIN) released on January 9 for more info on attacks abusing the CVE-2019-11510 Pulse Secure bug.

FBI ML-000115-TT flash alert

Pro-Iranian site defacement IOCs

While monitoring ongoing website defacement activity, the FBI detected additional IOCs including files dropped on hacked web servers and strings that can help detect suspicious activity and already compromised sites.

The FBI stated that some of the common strings seen in pro-Iranian defaced sites are:

• Hacked By Liosion_team, Defacer, Hacker, Hacked, Hacked By, Mrb3hz4d
• Hacked By Iranian_Hackers
• Hacked BY Mrb3hz4d & MR_Liosion & H43ER & T4arik[J3N] & NikbinHK & ImanGorji & EbRaHiM-VaKeR & Perilous Man & BigNorouzi
• Official Teams: Liosion Team & Storm Security Team
• TelegramID==> @Mrb3hz4d
• Warning: This game will have a tough end.
• Down With USA

 The FBI also identified the following files being associated with Iranian website defacement activity:

• 3.php
• iran.php
• wp-gdipt.php
• wp-muen.php
• wp-updatee.php
• jsspwned.php

FBI's Cyber Division also shared IP addresses associated with actors behind pro-Iranian defacement attacks or with SQL injection attacks observed during such hacking attempts.

"The FBI identified malicious actors leveraging known vulnerabilities in CMSs to upload defacement images onto victim websites," the previous flash message on pro-Iranian defacement activity said.

"The FBI believes one actor leveraged known vulnerabilities allowing remote execution via cookie and remote installation. [..]

The FBI notes different actors conducted website defacement activity with pro-Iranian messages. As such, the IP addresses and techniques used will vary."

Network security and defense best practices

Besides the National Institute of Standards and Technology (NIST) guides on how to secure public web servers and web services shared by CISA as part of its reminder, the FBI's Cyber Division also provides its own best practices.

Thus, it advises always keeping apps and the underlying operating system up to date to have them patched against all known security flaws, as well as making regular backups and having a change management policy in place to be able to quickly detect malicious alterations of any file on your web servers.

The FBI also recommends utilizing "user input validation to restrict local and remote file inclusion vulnerabilities," and setting up a least-privileges policy on the webserver to limit attackers' privilege escalation attempts and blocking file creation and execution in select folders.

Disabling and blocking all unneeded ports and services is also suggested, as is restricting necessary ones where this is possible.

FBI also urges potential targets of pro-Iranian defacement attacks to implement the following additional measures:

• If not already present, consider deploying a demilitarized zone (DMZ) between the Web-facing systems and corporate network. Limiting the interaction and logging traffic between the two provides a method to identify possible malicious activity.
• Use a reverse proxy or alternative service to restrict accessible URL paths to known legitimate ones.
• Conduct regular system and application vulnerability scans to establish areas of risk. While this method does not protect against zero-day attacks, it will highlight possible areas of concern.
• Deploy a Web application firewall, and conduct regular virus signature checks, application fuzzing, code reviews, and server network analysis

Previous FBI alerts

FBI said in another flash security alert that nation-state actors have hacked a US municipal government and a US financial entity by exploiting a critical Pulse Secure VPN server vulnerability.

An additional flash alert issued on the same day said that nation-backed threat actors were able to breach two other US municipalities by exploiting the CVE-2019-0604 SharePoint vulnerability as ZDNet reported.

In a Private Industry Notification (PIN) from November 2019, the FBI Cyber Division warned private industry partners of cyberattacks against the US automotive industry targeting sensitive corporate and enterprise data.

During October, the FBI's Internet Crime Complaint Center (IC3) also published a public service announcement (PSA) on the increasing number of high-impact ransomware attacks targeting U.S. organizations.

tines

Break down IAM silos like Bitpanda, KnowBe4, and PathAI

Broken IAM isn't just an IT problem - the impact ripples across your whole business.

This practical guide covers why traditional IAM practices fail to keep up with modern demands, examples of what "good" IAM looks like, and a simple checklist for building a scalable strategy.

Related Articles:

FBI: US officials targeted in voice deepfake attacks since April

FBI: Cybercriminals stole $262M by impersonating bank support teams

US cybersecurity experts plead guilty to BlackCat ransomware attacks

CISA orders feds to patch MongoBleed flaw exploited in attacks

MongoDB warns admins to patch severe vulnerability immediately