Posts

Attacker: Actor – Mabna Institute / Silent Librarian

The Mabna Institute, also known as the threat actor “Silent Librarian” (Phishlabs), is a group of nine Iranian citizens that have been charged in a computer hacking campaign. The campaign compromised various targets, such as US and foreign universities, private companies, and US government entities. Several specific targets were identified by PhishLabs and the FBI, and they include the US Department of Labor, the Federal Energy Regulatory Commission, the Los Alamos National Laboratory, and the Memorial Sloan Kettering Cancer Center. According to the FBI, the campaign has been ongoing for about four years and has compromised 144 US based universities and 176 foreign universities. According to Phishlabs, the tactics of the phishing campaigns used to compromise these entities barely changed over time. Targeted users were sent emails stating their library account was expiring. The users were then directed to a link which was a redirect to a phishing page requesting a username and password.

Proficio Threat Intelligence Recommendations:

  • User phishing training usually helps mitigate risk against users falling for basic types of phishing campaigns.

Phislabs technical analysis of the campaign – Click Here

FBI release on individuals wanted – Click Here

Method: TA 18-086A: Brute Force Attacks / Password Spraying

In March 2018, the Department of Justice indicted nine Iranian nationals for conducting brute force style attacks against organizations in the United States utilizing a technique referred to as “Password Spraying”.

Characteristically, brute force attacks attempt to authenticate credentials by guessing the password of a single user account, however accounts now will typically lock out after a handful of failed attempts. “Password Spraying” attempts to successfully authenticate using easy-to-guess passwords against multiple user accounts. This technique reduces the chance of triggering red flags for multiple failed attempts from a single user.

“Password Spray” attacks target single sign-on (SSO) and cloud-based applications that use federated authentication protocols in an attempt to hide malicious traffic. Federated authentication protocols are used in linking a person’s electronic identity across multiple identity management systems, which will also broaden the attacker’s scope to maximize access to intellectual property during a successful compromise.

Proficio Threat Intelligence Recommendations:

  • Implement strong password standards
  • Enable multi-factor authentication
  • Abstain from clicking non-validated email links

Alert TA 18-086A – Click Here