Tenable’s Research Special Operations team focuses on some frequently asked questions about Iranian cyber operations, including the tactics, techniques and procedures employed by Iran-based threat actors.
Background
Tenable’s Research Special Operations (RSO) team has compiled this blog to answer Frequently Asked Questions (FAQ) regarding Iranian cyber operations in the wake of the recent conflict and warnings from U.S. government agencies, including the Department of Homeland Security (DHS), about potential retaliatory attacks from cyber actors affiliated with the Iranian government as well as hacktivists.
This FAQ provides a focused analysis of Iranian state-sponsored cyber threats, detailing the types of threats used by Advanced Persistent Threat (APT) groups, tactics, techniques and procedures (TTPs) mapped to the MITRE ATT&CK framework and the specific vulnerabilities they consistently exploit. We also provide guidance about Tenable product coverage you can use to reduce your cyber exposure to these threats.
FAQ
Has there been an increase in threat activity related to Iran-based threat actors?
While there have been ample warnings from U.S. government agencies about retaliatory attacks, we’re also seeing a slight increase in reported activity by threat actors. Reports have cited that threat actors have begun targeting U.S. finance, defense, and energy sectors. While this activity has been limited to distributed-denial-of-service (DDoS) attacks, there have also been recent reports of an increase in targeted phishing attacks.
Which threat actors are believed to be Iran-based or linked to the Iranian government?
In recent years, several Iran-based groups have been identified by security vendors and U.S. government agencies, including the Cybersecurity and Infrastructure Security Agency (CISA). In some alerts, threat activity has been linked to the Iranian Islamic Revolutionary Guard Corps (IRGC), while other APT groups and hacktivist groups have been identified as having ties to Iran. The table below outlines the groups and known activities linked to them. While this is not an exhaustive list of all known APTs and threat actors known to have previously been attributed to Iran, these groups have been recent subjects of CISA and other U.S. government alerts and have been featured in reports from multiple security vendors.
What are the vulnerabilities that have been targeted by Iranian threat actors?
The following table contains a list of CVEs that have been known to be exploited by Iran-based threat actors. This list of CVEs covers a wide range of commonly exploited vulnerabilities that have also been abused by a wide variety of threat actors beyond just Iran-based APTs or state-sponsored actors.
| CVE | Description | CVSSv3 Score | VPR |
|---|---|---|---|
| CVE-2017-11774 | Microsoft Outlook Security Feature Bypass Vulnerability | 7.8 | 8.9 |
| CVE-2018-13379 | Fortinet FortiOS SSL VPN Web Portal Path Traversal Vulnerability [1] [2] [3] | 9.8 | 9.0 |
| CVE-2019-0604 | Microsoft SharePoint Remote Code Execution (RCE) Vulnerability [1] | 9.8 | 8.9 |
| CVE-2019-11510 | Pulse Connect Secure Arbitrary File Disclosure [1] [2] [3] [4] | 10.0 | 8.1 |
| CVE-2019-19781 | Citrix Application Delivery Controller (ADC) and Gateway Directory Traversal [1] [2] [3] [4] [5] [6] [7] [8] [9] | 9.8 | 8.9 |
| CVE-2019-5591 | Fortinet FortiOS Default Configuration [1] [2] | 6.5 | 6.6 |
| CVE-2020-12812 | Fortinet FortiOS Improper Authentication [1] [2] | 9.8 | 8.9 |
| CVE-2020-1472 | Windows Netlogon Elevation of Privilege (EoP) Vulnerability (Zerologon) [1] [2] [3] [4] [5] | 10 | 10 |
| CVE-2021-31207 | Microsoft Exchange Server Security Feature Bypass Vulnerability (Part of ProxyShell) [1] [2] [3] | 6.6 | 6.6 |
| CVE-2021-34473 | Microsoft Exchange Server RCE (ProxyShell) [1] [2] [3] | 9.8 | 9.2 |
| CVE-2021-34523 | Microsoft Exchange Server EoP (Part of ProxyShell) [1] [2] [3] | 9.0 | 9.6 |
| CVE-2021-44228 | Apache Log4j RCE (Log4Shell) [1] [2] [3] [4] | 10 | 10 |
| CVE-2021-45046 | Apache Log4j2 Denial of Service (DoS) and RCE [1] [2] | 9.0 | 8.1 |
| CVE-2021-45105 | Apache Log4j2 DoS [1] [2] | 5.9 | 6.6 |
| CVE-2022-1388 | F5 Networks F5 BIG-IP Authentication Bypass Vulnerability [1] [2] [3] | 9.8 | 9.0 |
| CVE-2022-26134 | Atlassian Confluence Server and Data Center OGNL Injection [1] [2] | 9.8 | 9.6 |
| CVE-2022-30190 | Microsoft Windows Support Diagnostic Tool (MSDT) RCE (Follina) [1] [2] [3] | 7.8 | 9.8 |
| CVE-2022-42475 | Fortinet ForiOS Heap-Based Buffer Overflow [1] [2] | 9.8 | 8.9 |
| CVE-2022-47966 | Zoho ManageEngine RCE [1] | 9.8 | 9.7 |
| CVE-2022-47986 | IBM Aspera Faspex RCE | 9.8 | 9.0 |
| CVE-2023-27350 | PaperCut NG Authentication Bypass | 9.8 | 9.0 |
| CVE-2023-3519 | Citrix Application Delivery Controller (ADC) and Gateway (formerly NetScaler ADC and Netscaler Gateway) Unauthenticated RCE Vulnerability [1] [2] | 9.8 | 9.0 |
| CVE-2023-38831 | RARLAB WinRAR Arbitrary Code Execution | 7.8 | 9.7 |
| CVE-2023-46805 | Ivanti Connect Secure and Ivanti Policy Secure Authentication Bypass Vulnerability [1] [2] | 8.2 | 6.7 |
| CVE-2023-6448 | Unitronics VisiLogic Default Administrative Password | 9.8 | 7.4 |
| CVE-2024-21887 | Ivanti Connect Secure and Ivanti Policy Secure Command Injection Vulnerability [1] [2] [3] | 9.1 | 9.8 |
| CVE-2024-24919 | Check Point Security Gateway Information Disclosure Vulnerability [1] [2] | 8.6 | 7.1 |
| CVE-2024-30088 | Windows Kernel Elevation of Privilege Vulnerability [1] [2] | 7.0 | 9.6 |
| CVE-2024-3400 | Palo Alto PAN-OS Command Injection Vulnerability [1] [2] | 10.0 | 10.0 |
*Please note: Tenable’s Vulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was published on June 27 and reflects VPR at that time.
Has Tenable released any product coverage for these vulnerabilities?
The CVEs covered in this blog have product coverage from Tenable. A list of Tenable plugins for these vulnerabilities can be found on the individual CVE pages:
These links will display all available plugins for the listed vulnerabilities, including upcoming plugins in our Plugins Pipeline. In addition to plugin coverage, the tables below highlight additional Tenable product coverage for the MITRE ATT&CK IDs that are known to be associated with Iran-based threat actors.
Tenable attack path techniques
Tenable Identity Exposure Indicators of Exposure and Indicators of Attack
Tenable Web App Scanning
| MITRE ATT&CK ID | Description | Indicators |
|---|---|---|
| T1190 | Exploit Public-Facing Application | T1190_WAS |
Tenable OT Security
| MITRE ATT&CK ID | Description | Indicators |
|---|---|---|
| T0812 | Exploit Public-Facing Application | T0812_ICS |
What else should I do to remain secure?
Cyber hygiene is even more critical in the face of heightened awareness than it is in normal times. Many of the attacks stemming from Iranian-sponsored threat actors mirror tactics used by other cyber actors, including exploiting software and devices that use weak authentication. Attacks have also targeted operational technology (OT) devices. To strengthen your cyber defenses, we recommend:
- Using strong passwords and enforcing a strong password policy
- Enabling multi-factor authentication (MFA)
- Changing default passwords, especially on OT hardware
- Patching vulnerabilities in assets exposed to the internet
- Identifying and prioritizing your most valuable assets for remediation
- Developing a remediation plan and continuing to test and improve it
Get more information
Join Tenable’s Research Special Operations (RSO) Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.