The Federal Bureau of Investigation (FBI) warned private industry partners of attempts by an Iranian threat actor to buy stolen information regarding US and worldwide organizations.
The warning came in a private industry notification (PIN) marked as TLP:AMBER, seen by BleepingComputer earlier this week.
According to the FBI, the threat actor will likely use the leaked data (e.g., emails and network info) bought from clear and dark web sources to breach the systems of related organizations.
The FBI says that US organizations that had data stolen and leaked online before should expect to be targeted in future attacks coordinated by this unnamed Iranian threat actor.
Orgs at risk are advised to take mitigation measures to block hacking attempts by securing Remote Desktop Protocol (RDP) servers, Web Application Firewalls, and Kentico CMS installations targeted by this adversary.
Among the Tactics, Techniques, and Procedures (TTPs) used in attacks by this threat actor since May 2021, the FBI mentions the use of auto-exploiter tools used to compromise WordPress sites to deploy web shells, breaching RDP servers and using them to maintain access to victims’ networks.
This threat actor is also attempting to breach supervisory control and data acquisition (SCADA) systems with the help of common default passwords, according to the FBI.