.svg)
.svg)
US CISA (Cybersecurity and Infrastructure Security Agency), the Federal Bureau of Investigation (FBI), the Australian Cyber Security Centre (ACSC), and the United Kingdom’s National Cyber Security Centre (NCSC) issued a joint alert (AA21-321A) on November 17, 2021, highlighting that ongoing malicious cyber activity by an advanced persistent threat (APT) group associated with the government of Iran.
According to the alert, since at least March 2021, this Iranian government-sponsored APT group has exploited Fortinet FortiOS vulnerabilities (CVE-2020-12812, CVE-2019-5591, and CVE-2018-13379) and a Microsoft Exchange ProxyShell vulnerability (CVE-2021-34473) to gain initial access to systems and deploy double-extortion ransomware. Therefore, this APT group is exfiltrating data in addition to encrypting files. The main target sector is the critical infrastructure sector, including transportation and public health.
In this blog, we analyzed tactics, techniques, and procedures utilized by this APT group to understand their attack methods and impact.
Tactics, Techniques, and Procedures (TTPs) used by the APT group
This section presents malicious behaviors of the Iranian government-sponsored APT group by categorizing them using the MITRE ATT&CK framework version 10.1.
1. Initial Access
1.1 MITRE ATT&CK T1190 Exploit Public-Facing Application
These Iranian government-sponsored APT actors exploit the following vulnerabilities to gain access to target environments:
|
CVE |
Affected Products |
Impact |
CVSS 3.1 Base Score |
|
SSL VPN in FortiOS 6.4.0, 6.2.0 to 6.2.3, 6.0.9 and below |
Improper Authentication, Operational Risk |
9.8 Critical |
|
|
Fortigate FortiOS 6.2.0 and below |
Information Disclosure |
6.5 Medium |
|
|
FortiOS 6.0 - 6.0.0 to 6.0.4 FortiOS 5.6 - 5.6.3 to 5.6.7 FortiOS 5.4 - 5.4.6 to 5.4.12 |
Path Traversal, Information Disclosure |
9.8 Critical |
|
|
Microsoft Exchange Server |
Remote Code Execution |
9.8 Critical |
2. Execution
2.1 MITRE ATT&CK T1047 Windows Management Instrumentation
Windows Management Instrumentation (WMI) is the infrastructure for management data and operations on Windows-based operating systems. Adversaries abuse WMI to execute a wide range of functions.
The threat actor has used SharpWMI, a C# implementation of various WMI functionality, including local/remote WMI queries, remote WMI process creation through win32_process, and remote execution of arbitrary VBS through WMI event subscriptions.
2.2MITRE ATT&CK T1053.005 Scheduled Task/Job: Scheduled Task
The threat group has used task XML files named GoogleChangeManagement.xml and MicrosoftOutlookUpdater.xml to create scheduled tasks for executing malicious payloads. They have used the following task URIs: SynchronizeTimeZone, GoogleChangeManagement, MicrosoftOutLookUpdater, and MicrosoftOutLookUpdateSchedule.
|
3. Credential Access
3.1. MITRE ATT&CK T1003 OS Credential Dumping
The APT group has used the Mimikatz tool to obtain username and password information useful in gaining access to additional systems in the target network.
|
4. Privilege Escalation
The APT actor has used WinPEAS, a script that searches for possible paths to escalate privileges on Windows hosts.
|
5. Collection
5.1. MITRE ATT&CK T1560.001 Archive Collected Data: Archive via Utility
Utilizing third-party utilities, adversaries compress or encrypt data collected prior to exfiltration. This APT group has used WinRAR to archive collected data.
6.Exfiltration
6.1. MITRE ATT&CK T1048 Exfiltration Over Alternative Protocol
This threat actor has used File Transfer Protocol (FTP) over port 443 to exfiltrate collected data.
7. Impact
7.1. MITRE ATT&CK T1486 Data Encrypted for Impact
Threat actors may encrypt data on target systems or on a large number of systems connected to a network to disrupt the system and network resource availability. They can make stored data unusable by encrypting files or data on local and remote drives, which is typical behavior of ransomware. The government-sponsored APT actor has forced BitLocker activation to encrypt data.
How Picus Helps Simulate and Prevent the BlackMatter Ransomware
We strongly suggest simulating APT groups to test the effectiveness of your security controls against their attacks using the Picus Security Control Validation Platform.
Picus Threat Library includes the following threats for the vulnerabilities used by the APT group. It contains 2000+ vulnerability exploitation and endpoint attacks in addition to 11.000+ other threats as of November 18, 2021.
|
Picus ID |
Threat Name |
CVE |
|
545960 |
Fortinet FortiGate SSL VPN Arbitrary File Read Variant-1 |
CVE-2018-13379 |
|
666315 |
ProxyShell URL Normalization Bypass via AutoDiscover Endpoint Variant-1 |
CVE-2021-34473 |
|
440644 |
ProxyShell URL Normalization Bypass via AutoDiscover Endpoint Variant-2 |
CVE-2021-34473 |
|
319119 |
ProxyShell URL Normalization Bypass via AutoDiscover Endpoint Variant-3 |
CVE-2021-34473 |
Picus Threat Library also includes attacks for post-compromise malicious behavior of attackers. Moreover, Picus Mitigation Library provides ready-to-use vendor-specific or vendor-agnostic detection rules for each TTP for building a proactive defense against adversaries.
For example, the following table includes a threat simulating credential dumping using the Mimikatz tool and a detection rule in the Picus Mitigation Library that detects this threat.
|
Picus Threat Library - Threat |
Picus Mitigation Library - Detection Rule |
|
393510 Credential Dumping using Mimikatz Tool |
4920 Password and Hash Dump via Mimikatz |
Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address exploits used by the APT group.
|
Security Control |
Signature ID |
Signature Name |
|
FortiGate IPS |
50695 |
web_app3: MS.Exchange.Server.Common.Access.Token.Privilege.Elevation |
|
FortiGate IPS |
50584 |
web_app3: MS.Exchange.Server.CVE-2021-34473.Remote.Code.Execution |
|
Snort IPS |
1.58249.2 |
SERVER-WEBAPP Microsoft Exchange server security feature bypass attempt |
|
Snort IPS |
1.57907.4 |
SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt |
|
Snort IPS |
1.57907.3 |
SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt |
|
Palo Alto Networks NGFW |
91368 |
Microsoft Exchange Server SSRF Vulnerability |
|
Palo Alto Networks NGFW |
91651 |
Microsoft Exchange EwsAutodiscoverProxyRequestHandler Server Side Request Forgery Vulnerability |
|
F5 Advanced Web Application Firewall |
200018137 |
Microsoft Exchange ProxyShell SSRF |
|
F5 Advanced Web Application Firewall |
200018136 |
Microsoft Exchange ProxyShell Privilege Escalation |
|
McAfee’s Network Security Platform (IPS) |
0x45298b00 |
HTTP: Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-34473) |
|
Forcepoint NGFW |
|
HTTP_CRL-Microsoft-Exchange-SSRF-CVE-2021-34473 |
|
Cisco Firepower NGFW |
1.58249.2 |
SERVER-WEBAPP Microsoft Exchange server security feature bypass attempt |
|
Cisco Firepower NGFW |
1.57907.4 |
SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt |
|
Trend Micro TippingPoint IPS |
39522 |
HTTP: Microsoft Exchange Server Autodiscover SSRF Vulnerability (PWN2OWN ZDI-21-821) |
IOCs (Indicators of Compromise)
SHA256 Hashes
c51fe5073bd493c7e8d83365aace3f9911437a0f2ae80042ba01ea46b55d2624
3A08D0CB0FF4D95ED0896F22F4DA8755525C243C457BA6273E08453E0E3AC4C4
5C818FE43F05F4773AD20E0862280B0D5C66611BB12459A08442F55F148400A6
4C691CCD811B868D1934B4B8E9ED6D5DB85EF35504F85D860E8FD84C547EBF1D
604e7cee9b32160c8e1b4159536e9e50bccc033d36fc8010160a2aea432191e0
28332bdbfaeb8333dad5ada3c10819a1a015db9106d5e8a74beaaf03797511aa
d7982ffe09f947e5b4237c9477af73a034114af03968e3c4ce462a029f072a5a
Created Task URIs
SynchronizeTimeZone
GoogleChangeManagement
MicrosoftOutLookUpdater
MicrosoftOutLookUpdateSchedule
Created Account Names
Support
Help
elie
WADGUtilityAccount
