Listen to this Post
Introduction:
In a recent disclosure by Resecurity, a lesser-known but persistent pro-Iranian threat actor, “Nasir Security,” has been identified targeting the energy sector across the Middle East, particularly in the Gulf Cooperation Council (GCC) states. Unlike sophisticated state-actor groups, Nasir Security relies on a combination of exaggerated claims and opportunistic supply chain compromises, utilizing business email compromise (BEC) and misconfigured cloud storage to gain initial access and exfiltrate data.
Learning Objectives:
- Understand the tactics, techniques, and procedures (TTPs) used by Nasir Security, including BEC, spearphishing, and supply chain infiltration.
- Learn how to identify and mitigate misconfigurations in cloud storage (AWS, Azure) that lead to data exfiltration.
- Implement security controls to harden public-facing applications and prevent initial access vectors used in such campaigns.
You Should Know:
- Simulating and Defending Against Business Email Compromise (BEC) and Spearphishing
Nasir Security’s primary method of entry involves spearphishing and impersonation to compromise supply-chain entities. Defenders must implement both technical controls and user training to combat this. Start by configuring DMARC, DKIM, and SPF for your domain to prevent email spoofing. On Windows, you can audit email rules to detect hidden forwarding mechanisms often used by attackers post-compromise.
To check for suspicious email forwarding rules in Microsoft 365 via PowerShell, an administrator can use:
Connect-ExchangeOnline Get-InboxRule -Mailbox "[email protected]" | Select-Object Name, ForwardTo, RedirectTo, DeleteMessage
If you suspect a user has been phished, revoke sessions immediately using Azure AD PowerShell:
Revoke-AzureADUserAllRefreshToken -ObjectId "user_object_id"
On Linux, analyze email headers for spoofing attempts using `grep` or awk. For simulated phishing campaigns, tools like GoPhish can be deployed on a Linux server (Ubuntu) to test user resilience:
wget https://github.com/gophish/gophish/releases/download/v0.12.1/gophish-v0.12.1-linux-64bit.zip unzip gophish-.zip sudo ./gophish
This step-by-step approach ensures that you are not only training users but also have the technical telemetry to detect and respond to successful compromises.
2. Securing Cloud Storage Against Misconfiguration and Exfiltration
The group targets misconfigured or insecure cloud storage to exfiltrate data. A common issue is publicly accessible S3 buckets or Azure Blob containers. To audit AWS S3 buckets for public access, use the AWS CLI:
aws s3api get-bucket-acl --bucket your-bucket-name aws s3api get-bucket-policy-status --bucket your-bucket-name
To block public access at the account level (recommended), run:
aws s3control put-public-access-block --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true --account-id your_account_id
For Azure, use Azure CLI to set the public access level to “blob” or “container” only when necessary, but prefer “private”:
az storage container set-permission --name container-name --public-access off --account-name storageaccountname
Additionally, enable logging and monitoring. In AWS CloudTrail, create a trail to log S3 data events:
aws cloudtrail put-event-selectors --trail-name your-trail --event-selectors '[{"ReadWriteType": "All", "IncludeManagementEvents": true, "DataResources": [{"Type": "AWS::S3::Object", "Values": ["arn:aws:s3:::your-bucket-name/"]}]}]'
These commands ensure that unauthorized access attempts to cloud storage are logged and blocked before they can be used by groups like Nasir Security to claim “pseudo-leaks.”
3. Hardening Public-Facing Applications (Web Servers and VPNs)
Nasir Security exploits public-facing applications as an initial access vector. Whether it’s a misconfigured web application or a vulnerable VPN appliance, hardening these assets is critical. On a Linux (Ubuntu/Debian) web server, use `ufw` to restrict access and fail2ban to prevent brute force:
sudo ufw allow from 192.168.1.0/24 to any port 22 proto tcp sudo ufw allow 80/tcp sudo ufw allow 443/tcp sudo ufw enable
Configure fail2ban for SSH and HTTP:
sudo apt install fail2ban sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local sudo systemctl enable fail2ban
For Windows servers, ensure Internet Information Services (IIS) has URLScan or Request Filtering enabled to prevent directory traversal and injection attacks. Use PowerShell to install the Web-Server security module:
Install-WindowsFeature -Name Web-Server -IncludeManagementTools Install-WindowsFeature -Name Web-Filtering
A step-by-step guide involves auditing exposed services using tools like Nmap from a Linux machine to simulate an attacker’s reconnaissance:
nmap -sV -p- target_ip_address
If outdated services are discovered (e.g., Apache Struts or unpatched Exchange), patch them immediately or apply virtual patches via a Web Application Firewall (WAF).
4. Supply Chain Risk Assessment and Vendor Management
Since Nasir Security compromises supply-chain entities (engineering, safety equipment vendors) to pivot to major energy companies, organizations must enforce strict vendor risk management. Implement a policy requiring third-party vendors to adhere to your security standards. On a technical level, use vulnerability scanners like OpenVAS on Linux to assess vendor-exposed assets:
sudo apt-get install openvas sudo gvm-setup sudo gvm-start
While this doesn’t directly scan a vendor, it simulates the attack surface a hacker sees. More importantly, enforce network segmentation. On a Cisco router or firewall, create an ACL (Access Control List) that restricts vendor remote access to specific IPs and ports:
access-list 101 permit tcp host vendor_public_ip host internal_vendor_server eq 443 access-list 101 deny ip any any
For cloud environments, use AWS Security Groups or Azure Network Security Groups (NSGs) to enforce the principle of least privilege for any third-party integrations.
- Linux and Windows Commands for Investigating Exfiltration and Persistence
When investigating incidents like those claimed by Nasir Security, forensic commands are essential. On a compromised Linux endpoint, check for unusual cron jobs that might maintain persistence:crontab -l sudo cat /etc/crontab sudo ls -la /etc/cron.
Check for recently modified files, especially in /tmp or /var/tmp:
find / -type f -mtime -1 -ls 2>/dev/null | grep -v "/proc/"
On a Windows endpoint, use Sysinternals Autoruns to check for persistence mechanisms:
autorunsc.exe -a -c -nobanner > autoruns.csv
To detect data exfiltration, monitor network connections. On Windows, use `netstat` to spot established connections to suspicious IPs:
netstat -ano | findstr ESTABLISHED
Combine this with PowerShell to get process names:
Get-Process -Id (Get-NetTCPConnection -State Established).LocalPort
These commands help security analysts verify if an exfiltration attempt was successful, aligning with the “pseudo-leaks” narrative where the group may claim breaches without actual data theft.
What Undercode Say:
- Supply Chain is the New Frontline: Nasir Security’s focus on compromising contractors rather than direct oil majors highlights that security programs must extend beyond the primary corporate network to include third-party risk.
- Exaggeration as a Tactic: The “pseudo-leaks” approach shows that attribution and public claims are increasingly part of the operational narrative, requiring incident responders to verify data authenticity rather than reacting to hype.
- Automated Cloud Security is Non-Negotiable: The exploitation of misconfigured cloud storage underscores the need for Infrastructure as Code (IaC) scanning and automated remediation to prevent simple configuration errors from becoming major breaches.
- Defense Against Low-Tech Threats: Despite the group’s “lesser skilled” label, their reliance on BEC and spearphishing remains highly effective, proving that basic security hygiene and user awareness are still the most critical controls.
- Telemetry Over Claims: The ability to audit email rules, cloud storage logs, and network traffic provides the definitive truth needed to counter disinformation campaigns that aim to damage reputation through unverified leaks.
Prediction:
As groups like Nasir Security continue to operate with impunity, we will see a rise in “supply chain attribution warfare,” where the lines between hacktivism, espionage, and reputation damage blur. Energy sectors in geopolitically tense regions will face an increasing volume of low-sophistication but high-frequency attacks, forcing a shift toward continuous threat exposure management (CTEM) and mandatory third-party cyber ratings as a prerequisite for vendor contracts. The reliance on exaggerated leaks suggests that future attacks will prioritize psychological impact and media manipulation alongside technical compromise, making cyber resilience a matter of public relations as much as security operations.
▶️ Related Video (78% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Mthomasson With – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
