.svg)
.svg)
On November 16, 2022, The Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory with the Federal Bureau of Investigation (FBI) on Iranian government-sponsored APT actors that targeted a Federal Civilian Executive Branch (FCEB) organization [1]. In their cyber attack campaign, Iranian threat actors exploited the Log4Shell vulnerability for initial access, installed XMRig crypto miner, and used lateral movement attacks to infect more hosts in their victim’s network.
CISA advised organizations to validate their security controls against techniques and tools used by Iranian APT actors. Picus Labs added new attack simulations to the Picus Continuous Security Validation Platform to help organizations validate their security controls swiftly with a few clicks.
In this blog, we explained the techniques, tools, and malware used by the threat actors to compromise the FCEB organization’s network.
Simulate Advanced Persistent Threats with 14-Day Free Trial of Picus Platform
Crypto Miner Attack Against FCEB Organization
In April 2022, CISA discovered network traffic between an unnamed FCEB organization’s network and a known malicious IP address. Further investigation showed that threat actors gained initial access in February 2022 by exploiting the Log4Shell vulnerability in an unpatched VMware Horizon server. After initial access, adversaries added an exclusion to Windows Defender and allowlisted certain directories to bypass virus scanning. Threat actors then downloaded malicious files for establishing persistence and cryptojacking attacks.
Cryptojacking, also known as malicious crypto mining, is the unauthorized use of victims’ resources for mining cryptocurrencies. In this attack campaign, Iranian APT actors downloaded XMRig cryptocurrency mining software to the victim’s Vmware Horizon server. Files and their hash values related to XMRig crypto miner are given below.
|
File Name |
Hash Value (MD5) |
|
WinRing0x64.sys |
0c0195c48b6b8582fa6f6373032118da |
|
wuaucltservice.exe |
6b8d058db910487ff90fe39e1dcd93b8 |
|
config.json |
910350d4f72b7b25f4fbecfc08d815cd |
Credential Dumping and Lateral Movement Attacks Against FCEB Organization
In the second part of their attack campaign, Iranian APT actors moved from the compromised VMware Horizon server to a VMware VDI-KMS host using a remote desktop protocol (RDP) and built-in Windows user account. Then, they transferred the following tools to the compromised VDI-KMS host.
- Mimikatz: a notorious credential dumping tool
- PsExec: a Sysinternals tool that adversaries often abuse for lateral movement attacks.
- ngrok: a reverse proxy tool that adversaries abuse for remote and encrypted access to victims’ internal assets.
Threat actors used Mimikatz to extract credentials and create a new domain administrator account. Using the malicious administrator accounts, adversaries accessed the other hosts in the victim’s network and installed ngrok on multiple hosts for remote access and improved persistence. And finally, the APT actors were able to compromise the domain controller and list all machines in the compromised domain.
Validate Security Controls
CISA and FBI recommend organizations continuously validate their security controls against threat behavior mapped to the MITRE ATT&CK framework. The recommended methodology is as follows:
1. Select an ATT&CK technique
2. Align your security technologies against the technique
3. Test your technologies against the technique
4. Analyze your detection and prevention technologies’ performance
5. Repeat the process for all security technologies
6. Tune your security program
7. Repeat the whole process for other ATT&CK techniques
For more detailed information, please visit our blog post “How to Validate Your Security Controls Against APT Actors at Scale”.
Tools and TTPs Used by Iranian APT Actors in Crypto Mining and Credential Dumping Attacks
The Iranian APT actors targeting an FCEB organization with crypto mining and credential dumping attacks used the following tactics, techniques, and procedures (TTPs) in the MITRE ATT&CK framework:
1. Tactic: Initial Access & Persistence & Privilege Escalation
1.1 T1190 Exploit Public Facing Application
The Iranian threat actors gain access to a VMware Horizon server using the Log4Shell vulnerability. Please check our blog post “Simulating and Preventing CVE-2021-44228 Apache Log4j RCE Exploits” for more detailed information.
2. Tactic: Execution
2.2 T1059.001 Command and Scripting Interpreter: PowerShell
Adversaries used the following PowerShell commands and scripts to impair Windows Defender and list the machines in the compromised network.
|
powershell try{Add-MpPreference -ExclusionPath 'C:\'; Write-Host 'added-exclusion'} catch {Write-Host 'adding-exclusion-failed' }; powershell -enc "$BASE64 encoded payload to download next stage and execute it" |
Example 1: Adding an exclusion tool to Windows Defender [1]
|
powershell.exe get-adcomputer -filter * -properties * | select name,operatingsystem,ipv4address > |
Example 2: Listing the machine in the compromised domain [1]
3. Tactic: Persistence
3.1 T1053.005 Scheduled Task/Job: Scheduled Task
Adversaries created a scheduled task named “RuntimeBrokerService.exe” to execute the malware “RuntimeBroker.exe” daily with elevated privileges.
3.2 T1078.001 Valid Accounts: Default Accounts
The APT actors used a built-in Windows user account to move laterally from the compromised VMware Horizon server to a VMware VDI-KMS host.
3.3 T1098 Account Manipulation
Adversaries changed the credentials of local administrator accounts on compromised hosts.
3.4 T1136.001 Create Account: Local Account
The threat actors created local user accounts using the malware named “RuntimeBroker.exe”.
3.5 T1136.002 Create Account: Domain Account
The Iranian APT actors used extracted credentials to create a new domain administrator account.
4. Tactic: Defense Evasion
4.1 T1070.004 Indicator Removal on Host: File Deletion
Adversaries deleted the malicious PowerShell script “mde.ps1” used to download XMRig crypto miner software.
4.2 T1562.001 Impair Defenses: Disable or Modify Tools
The threat actors impaired the Windows Defender by allowlisting certain directories. This action allowed them to download malicious tools without worrying about virus scans.
5. Tactic: Credential Access
5.1 T1003.001 OS Credential Access: LSASS Memory
The APT actors tried LSASS memory dumping techniques to harvest credentials. However, the antivirus in the victim’s host stopped this malicious action.
5.2 T1555 Credentials from Password Stores
Adversaries used Mimikatz to extract credentials from the compromised VMware VDI-KMS host.
6. Tactic: Discovery
6.1 T1016.001 System Network Configuration Discovery: Internet Connection Discovery
Adversaries use the following commands to check whether the compromised host has internet access by pinging “8.8.8.8”.
6.2 T1018 Remote System Discovery
Adversaries use the PowerShell command given in “Example 2” to list machines in the compromised domain.
7. Tactic: Lateral Movement
7.1 T1021.001 Remote Services: Remote Desktop Protocol
The APT actors used RDP to access other hosts in the victim’s network.
8. Tactic: Command and Control
8.1 T1090 Proxy
The threat actors used ngrok to establish remote and encrypted access to the victim’s internal assets.
8.2 T1105 Ingress Tool Transfer
The APT actors downloaded the following tools to the victim’s network.
- RuntimeBroker.exe
- XMRig Crypto Miner
- Mimikatz
- PsExec
- ngrok
How Picus Helps Simulate Iranian APT Actors?
We also strongly suggest simulating Advanced Persistent Threats to test the effectiveness of your security controls against cyber attacks using the Picus Complete Security Validation Platform. You can test your defenses against infamous APT actors such as Lazarus, HAFNIUM, and DEV-0586 within minutes with a 14-day free trial of the Picus Platform.
Picus Threat Library includes the following threats for Iranian APT actors targeting FCEB Organization:
|
Threat ID |
Action Name |
Attack Module |
|
21296 |
Apache Log4j Web Attack Campaign |
Web Application |
|
63158 |
XMRig Malware Downloader Email Threat |
Email Infiltration |
|
93377 |
XMRig Malware Downloader Download Threat |
Network Infiltration |
|
77752 |
XMRigMinerDropper Email Threat |
Email Infiltration |
|
24052 |
XMrig Cryptocurrency Email Threat |
Email Infiltration |
|
27275 |
XMRigMinerDropper Worm Email Threat |
Email Infiltration |
|
90867 |
XMRigMinerDropper Download Threat |
Network Infiltration |
|
44668 |
XMrig Cryptocurrency Download Threat |
Network Infiltration |
|
48749 |
XMRigCC Cryptocurreny Miner Download Threat |
Network Infiltration |
|
47618 |
XMRigMinerDropper Worm Download Threat |
Network Infiltration |
Moreover, Picus Threat Library contains 150+ threats containing 1500+ web application and vulnerability exploitation attacks in addition to 3500+ endpoint, malware, email, and data exfiltration threats as of today.
Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address malware attacks in preventive security controls. Currently, Picus Labs validated the following signatures:
|
Security Control |
Signature ID |
Signature Name |
|
CheckPoint |
0C3030049 |
Trojan.Win32.Miner.gen.TC.8de0QXAA |
|
CheckPoint |
08689B966 |
Trojan.PowerShell.Agent.si.TC.3573eARH |
|
CheckPoint |
0EAF380AB |
Cryptominer.Win32.Crypto.TC.a |
|
Cisco Firepower NGFW |
Auto.2FFE65.251551.in02 |
|
|
Forcepoint NGFW |
File-Exe_XMRig_CPU_Miner_Binary_File |
|
|
Forcepoint NGFW |
File_Malware-Blocked |
|
|
Fortigate IPS |
6883379 |
Riskware/CoinMiner |
|
McAfee |
4840C900 |
MALWARE: Malicious File Detected by GTI |
|
Snort IPS |
1.50795.1 |
PUA-OTHER Win.Trojan.CoinMiner attempted download |
|
Snort IPS |
1.57103.1 |
OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt |
Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of Picus Complete Security Validation Platform.
References
[1] “Iranian Government-Sponsored APT Actors Compromise Federal Network, Deploy Crypto Miner, Credential Harvester.” [Online]. Available: https://www.cisa.gov/uscert/ncas/alerts/aa22-320a. [Accessed: Nov. 17, 2022]
