general attention points from the Iranian #Cleaver cybercampaign
"The report also contains more than 150 indicators of compromise. In most cases, once Operation Cleaver has infiltrated an organization, it has deep access via Active Directory domain controllers and credentials and compromised VPN credentials. In most cases, they’re exploiting vulnerabilities in Windows, Adobe products, Apache, and Cisco VPNs, switches and routers. Its most successful campaigns via these avenues, Cylance said, have been against South Korean transportation networks, including airports and airlines. To date no zero day exploits have been found, Cylance said.
"Cylance’s report also cautions that Operation Cleaver could have a special interest in airline and SCADA networks present in most critical industries. Overall, the campaign could be retaliation for Stuxnet, Duqu and Flame, Cylance said.
“Within our investigation, we had no direct evidence of a successful compromise of specific Industrial Control Systems (ICS) or Supervisory Control and Data Acquisition (SCADA) networks, but Cleaver did exfiltrate extremely sensitive data from many critical infrastructure companies allowing them to directly affect the systems they run,” Cylance said in its report. “This data could enable them, or affiliated organizations, to target and potentially sabotage ICS and SCADA environments with ease.”
first there is still some hesitation to really attack the critical infrastructure of other countries
secondly the importance of the Active Directory and its security is shown another time
third without double authentification you have no real secure authentification
read this 80page report http://www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf