CISA Alert AA22-320A - Iranian APT Actors Target US Federal Network

Keep up to date with latest blog posts

On November 16, 2022, The Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory with the Federal Bureau of Investigation (FBI) on Iranian government-sponsored APT actors that targeted a Federal Civilian Executive Branch (FCEB) organization [1]. In their cyber attack campaign, Iranian threat actors exploited the Log4Shell vulnerability for initial access, installed XMRig crypto miner, and used lateral movement attacks to infect more hosts in their victim’s network.

CISA advised organizations to validate their security controls against techniques and tools used by Iranian APT actors. Picus Labs added new attack simulations to the Picus Continuous Security Validation Platform to help organizations validate their security controls swiftly with a few clicks.

In this blog, we explained the techniques, tools, and malware used by the threat actors to compromise the FCEB organization’s network.

Simulate Advanced Persistent Threats with 14-Day Free Trial of Picus Platform

Crypto Miner Attack Against FCEB Organization

In April 2022, CISA discovered network traffic between an unnamed FCEB organization’s network and a known malicious IP address. Further investigation showed that threat actors gained initial access in February 2022 by exploiting the Log4Shell vulnerability in an unpatched VMware Horizon server. After initial access, adversaries added an exclusion to Windows Defender and allowlisted certain directories to bypass virus scanning. Threat actors then downloaded malicious files for establishing persistence and cryptojacking attacks. 

Cryptojacking, also known as malicious crypto mining, is the unauthorized use of victims’ resources for mining cryptocurrencies. In this attack campaign, Iranian APT actors downloaded XMRig cryptocurrency mining software to the victim’s Vmware Horizon server. Files and their hash values related to XMRig crypto miner are given below.

File Name

Hash Value (MD5)

WinRing0x64.sys

0c0195c48b6b8582fa6f6373032118da

wuaucltservice.exe

6b8d058db910487ff90fe39e1dcd93b8

config.json

910350d4f72b7b25f4fbecfc08d815cd

Credential Dumping and Lateral Movement Attacks Against FCEB Organization

In the second part of their attack campaign, Iranian APT actors moved from the compromised VMware Horizon server to a VMware VDI-KMS host using a remote desktop protocol (RDP) and built-in Windows user account. Then, they transferred the following tools to the compromised VDI-KMS host.

  • Mimikatz: a notorious credential dumping tool
  • PsExec: a Sysinternals tool that adversaries often abuse for lateral movement attacks.
  • ngrok: a reverse proxy tool that adversaries abuse for remote and encrypted access to victims’ internal assets.

Threat actors used Mimikatz to extract credentials and create a new domain administrator account. Using the malicious administrator accounts, adversaries accessed the other hosts in the victim’s network and installed ngrok on multiple hosts for remote access and improved persistence. And finally, the APT actors were able to compromise the domain controller and list all machines in the compromised domain.

Validate Security Controls

CISA and FBI recommend organizations continuously validate their security controls against threat behavior mapped to the MITRE ATT&CK framework. The recommended methodology is as follows:

1. Select an ATT&CK technique

2. Align your security technologies against the technique

3. Test your technologies against the technique

4. Analyze your detection and prevention technologies’ performance

5. Repeat the process for all security technologies

6. Tune your security program

7. Repeat the whole process for other ATT&CK techniques

For more detailed information, please visit our blog post “How to Validate Your Security Controls Against APT Actors at Scale”.

Tools and TTPs Used by Iranian APT Actors in Crypto Mining and Credential Dumping Attacks

The Iranian APT actors targeting an FCEB organization with crypto mining and credential dumping attacks used the following tactics, techniques, and procedures (TTPs) in the MITRE ATT&CK framework:

1. Tactic: Initial Access & Persistence & Privilege Escalation

1.1 T1190 Exploit Public Facing Application

The Iranian threat actors gain access to a VMware Horizon server using the Log4Shell vulnerability. Please check our blog post “Simulating and Preventing CVE-2021-44228 Apache Log4j RCE Exploits” for more detailed information.

2. Tactic: Execution      

2.2 T1059.001 Command and Scripting Interpreter: PowerShell


Adversaries used the following PowerShell commands and scripts to impair Windows Defender and list the machines in the compromised network.

powershell try{Add-MpPreference -ExclusionPath 'C:\'; Write-Host 'added-exclusion'} catch {Write-Host 'adding-exclusion-failed' }; powershell -enc "$BASE64 encoded payload to download next stage and execute it"

Example 1: Adding an exclusion tool to Windows Defender [1]

powershell.exe get-adcomputer -filter * -properties * | select name,operatingsystem,ipv4address >

Example 2: Listing the machine in the compromised domain [1]

3. Tactic: Persistence

3.1 T1053.005 Scheduled Task/Job: Scheduled Task

Adversaries created a scheduled task named “RuntimeBrokerService.exe” to execute the malware “RuntimeBroker.exe” daily with elevated privileges.

3.2 T1078.001 Valid Accounts: Default Accounts

The APT actors used a built-in Windows user account to move laterally from the compromised VMware Horizon server to a VMware VDI-KMS host.

3.3 T1098 Account Manipulation

Adversaries changed the credentials of local administrator accounts on compromised hosts.

3.4 T1136.001 Create Account: Local Account

The threat actors created local user accounts using the malware named “RuntimeBroker.exe”.

3.5 T1136.002 Create Account: Domain Account

The Iranian APT actors used extracted credentials to create a new domain administrator account.

4. Tactic: Defense Evasion

4.1 T1070.004 Indicator Removal on Host: File Deletion

Adversaries deleted the malicious PowerShell script “mde.ps1” used to download XMRig crypto miner software.

4.2 T1562.001 Impair Defenses: Disable or Modify Tools

The threat actors impaired the Windows Defender by allowlisting certain directories. This action allowed them to download malicious tools without worrying about virus scans.

5. Tactic: Credential Access

5.1 T1003.001 OS Credential Access: LSASS Memory

The APT actors tried LSASS memory dumping techniques to harvest credentials. However, the antivirus in the victim’s host stopped this malicious action.

5.2 T1555 Credentials from Password Stores

Adversaries used Mimikatz to extract credentials from the compromised VMware VDI-KMS host.

6. Tactic: Discovery

6.1 T1016.001 System Network Configuration Discovery: Internet Connection Discovery

Adversaries use the following commands to check whether the compromised host has internet access by pinging “8.8.8.8”.

6.2 T1018 Remote System Discovery

Adversaries use the PowerShell command given in “Example 2” to list machines in the compromised domain.

7. Tactic: Lateral Movement


7.1 T1021.001 Remote Services: Remote Desktop Protocol

The APT actors used RDP to access other hosts in the victim’s network.

8. Tactic: Command and Control

8.1 T1090 Proxy

The threat actors used ngrok to establish remote and encrypted access to the victim’s internal assets.

8.2 T1105 Ingress Tool Transfer

The APT actors downloaded the following tools to the victim’s network.

  • RuntimeBroker.exe
  • XMRig Crypto Miner
  • Mimikatz
  • PsExec
  • ngrok

How Picus Helps Simulate Iranian APT Actors?

We also strongly suggest simulating Advanced Persistent Threats to test the effectiveness of your security controls against cyber attacks using the Picus Complete Security Validation Platform. You can test your defenses against infamous APT actors such as Lazarus, HAFNIUM, and DEV-0586 within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for Iranian APT actors targeting FCEB Organization

Threat ID

Action Name

Attack Module

21296

Apache Log4j Web Attack Campaign

Web Application

63158

XMRig Malware Downloader Email Threat

Email Infiltration

93377

XMRig Malware Downloader Download Threat

Network Infiltration

77752

XMRigMinerDropper Email Threat

Email Infiltration

24052

XMrig Cryptocurrency Email Threat

Email Infiltration

27275

XMRigMinerDropper Worm Email Threat

Email Infiltration

90867

XMRigMinerDropper Download Threat

Network Infiltration

44668

XMrig Cryptocurrency Download Threat

Network Infiltration

48749

XMRigCC Cryptocurreny Miner Download Threat

Network Infiltration

47618

XMRigMinerDropper Worm Download Threat

Network Infiltration

Moreover, Picus Threat Library contains 150+ threats containing 1500+ web application and vulnerability exploitation attacks in addition to 3500+ endpoint, malware, email, and data exfiltration threats as of today.

Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address malware attacks in preventive security controls. Currently, Picus Labs validated the following signatures:

Security Control

Signature ID

Signature Name

CheckPoint

0C3030049

Trojan.Win32.Miner.gen.TC.8de0QXAA

CheckPoint

08689B966

Trojan.PowerShell.Agent.si.TC.3573eARH

CheckPoint

0EAF380AB

Cryptominer.Win32.Crypto.TC.a

Cisco Firepower NGFW

 

Auto.2FFE65.251551.in02

Forcepoint NGFW

 

File-Exe_XMRig_CPU_Miner_Binary_File

Forcepoint NGFW

 

File_Malware-Blocked

Fortigate IPS

6883379

Riskware/CoinMiner

McAfee

4840C900

MALWARE: Malicious File Detected by GTI

Snort IPS

1.50795.1

PUA-OTHER Win.Trojan.CoinMiner attempted download

Snort IPS

1.57103.1

OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt

Start simulating emerging threats today and get actionable mitigation insights with a  14-day free trialof Picus Complete Security Validation Platform.

References

[1] “Iranian Government-Sponsored APT Actors Compromise Federal Network, Deploy Crypto Miner, Credential Harvester.” [Online]. Available: https://www.cisa.gov/uscert/ncas/alerts/aa22-320a. [Accessed: Nov. 17, 2022]

Subscribe

Keep up to date with latest blog posts