How Barracuda Managed XDR is keeping organizations safe amid cyber activity tied to Middle East conflict

Themen:

6. März. 2026

Active monitoring of evolving threats, proactive threat hunting across customer environments, continuously updated IoCs, and more

Takeaways

Barracuda Managed XDR’s global SOC saw a 10-fold increase in malicious network traffic from Iran to the United States on February 25, just before the start of the conflict.
The SOC team is operating at an elevated alert state, protecting customers from rapidly evolving risk.
Customers are also advised to reinforce essential security measures to manage risk.

Just before the start of the conflict in the Middle East, Barracuda Managed XDR’s global Security Operations Center (SOC) observed a notable increase in cyber activity, with a 10-fold rise in malicious traffic from Iran to the United States. This spike reflects the intense and widely reported cyber activity between Iran, its adversaries, their allies, and other countries. The threats continue to evolve.

To keep customers protected, the SOC team is currently operating at an elevated alert state of readiness and is actively conducting threat monitoring and proactive threat hunting across customer environments.

Monitoring and practical measures

The SOC continues to monitor the threat landscape and implement additional protective measures as the situation evolves.

The SOC is actively integrating into its threat intelligence platform all verified malicious threats that originate from or are linked to Iranian cyber actors — such as domains, IP addresses and URLs. The threat intelligence platform already holds around 14 billion indicators of compromise, including ones related to the current Middle East conflict.

Customer environments are scanned the moment a new threat is identified.

The security rules and detections for Barracuda Managed XDR’s Endpoint Detection and Response (EDR) solution, delivered through SentinelOne, are continuously updated with the latest intelligence.

Customers using the SentinelOne feature should consider activating Platform Detection Library rules, if they have not already done so, to further extend coverage.

The following EDR rules are shown to protect against currently known Iranian cyber operations:

Threat category	Rule name	Description
MuddyWater	Possible MuddyWater DLL Drop Consistent with Audio Driver Sideloading	Detects a dynamic-link library (DLL) being written in a manner used by the MuddyWater cyber espionage group
Credential dumping	Suspicious Task Creation for Credential Harvesting	Detects a task creation event that runs tools used for credential theft
	Python-Based Network Exploitation Tool	Detects Python-based hacking tools used for lateral movement and post-exploitation activities
	Potential LSASS Dumping Tools	Detects presenceof common tools used to dump credentials in Local Security Authority Subsystem Service (LSASS)
	Credential Dumping via Shadow Copy	Detects credential dumping via shadow copies
	Interactive NTDS Harvesting via VSS	Detects user-initiated attempts to harvest NTDS.dit via Volume Shadow Copy Service (VSS)
	Cached Domain Credential Dumping	Detects the listing of cached credentials using cmdkey.exe
Tunneling & remote access	Ngrok Domain Contacted	Detects DNS to ngrok domains
	Cloudflare Persistent Tunnel Establishment Detected	Detects Cloudflare persistent tunnel establishment
	Anomalous Process Initiating Cloudflare Tunnel Traffic	Detects unusual processes establishing a Cloudflare tunnel
Collection & exfiltration	Keylogging Script via PowerShell	Detects PowerShell using functions that could be used for keylogging
	Chromium Browser Info Stealer via Remote Debugging	Detects remote debugging on Chromium browsers being used for credential harvesting
	Browser Credential and Cookie Data Access Attempt	Detects credential and cookie access attempts
PowerShell/script abuse	PowerShell Script Execution via Time Based Integer IPv4	Detects PowerShell execution that runs remote scripts while using time-based integer IPv4
	Suspicious Usage of .NET Reflection via PowerShell	Detects .NET reflection from PowerShell scripts
	Encoded PowerShell Launching Command Line Download	Detects encoded PowerShell commands that launch a download
Defense evasion, impact, discovery	Potential DLL Sideloading in PerfLogs Directory	Detects DLL sideloading in PerfLogsdirectory
	Disk Data Wipe Attempt via Dd Utility	Detects use of dataset definition (dd) utility to wipe a disk
	Boot Configuration Tampering via BCDEdit	Detects modification of boot configuration data (BCD) to maximize disruption via BCDEdit
	BloodHound Active Directory Reconnaissance File Creation	Detects execution of BloodHound and alternative tools

Recommended security measures for all companies

Alongside the deep, 24/7 cyber resilient protection provided by a security solution such as Barracuda Managed XDR, there are practical steps that organizations can take to boost their cyber resilience during times of elevated risk. These include:

Network security

Implement country-level blocking at the firewall for regions where your organization doesn't conduct business
Disable public-facing implementations of the Remote Desktop Protocol (RDP), enforce multifactor authentication for all remote access and monitor logs for failed and unusual logins. Lock people out after three to five failed attempts and consider replacing RDP with virtual desktop infrastructure (VDI) instead of direct RDP
Check to see if there are any unused remote access ports and disable them if they are not in use
Implement network segmentation to limit lateral movement
Use privileged access workstations (PAWs) for administrative tasks

Firewall settings

Review all inbound and outbound firewall rules
Remove any rules that are set to “permit any”
Document and justify all external access rules
Pay special attention to rules allowing access from foreign IP ranges

Password policies

Enforce long (14 character) passwords
Require complexity: uppercase, lowercase, numbers, and special characters
Prevent password reuse and consider enforcing password updates every 60 to 90 days

Other essential measures

Prioritize software updates
Check the applications installed on all corporate devices and remove unauthorized or unnecessary applications
Pay special attention to remote access tools, such as TeamViewer and AnyDesk
Look for legitimate tools that could be abused – including PSExec and PowerShell ISE
Ensure your backup systems are isolated and tested, and maintain offline backups of critical data
Revisit and update your incident response plan

For further assistance, reach out to the Barracuda Managed XDR team to see how they can help.

Stop threats with 24/7 managed cybersecurity

Merium Khalid

Merium Khalid ist Director of SOC Offensive Security bei Barracuda. Merium verfügt über umfangreiche Erfahrung in der Datenanalyse, Bedrohungserkennung, Incident Response, Forschung und Entwicklung und vielem mehr. Ihr Team ist verantwortlich für die Leitung von Incident-Response-Triage-Anrufen, die Entwicklung erstklassiger Anwendungsfallerkennungen durch maschinelles Lernen, statische Abfragen, die Recherche und Implementierung neuer Plattformen und die Automatisierung von Arbeitsabläufen zum Schutz ihrer Kunden, um eine erstklassige Erfahrung zu bieten und sicherzustellen, dass die SOC-Analystenerfahrung erstklassig ist. Merium erhielt ihren Bachelor-Abschluss in Informatik von der SUNY Old Westbury und besitzt viele Jahre Erfahrung in der Leitung und Verwaltung von Sicherheitsoperationen.

Den Blog durchsuchen

Bericht über E-Mail-Sicherheitsverletzungen 2025

Wichtige Erkenntnisse über die Erfahrungen mit und Auswirkungen von E-Mail-Sicherheitsverletzungen auf Unternehmen weltweit

Zum Report

Der MSP Customer Insight Report 2025

Ein globaler Blick darauf, was Organisationen von ihren Cybersecurity Managed Service Providers benötigen und erwarten.

Zum Report