TTPs Used by the Iranian APT Exploiting Exchange and Fortinet Vulnerabilities

Keep up to date with latest blog posts

US CISA (Cybersecurity and Infrastructure Security Agency), the Federal Bureau of Investigation (FBI), the Australian Cyber Security Centre (ACSC), and the United Kingdom’s National Cyber Security Centre (NCSC) issued a joint alert (AA21-321A)  on November 17, 2021,  highlighting that ongoing malicious cyber activity by an advanced persistent threat (APT) group associated with the government of Iran. 

According to the alert, since at least March 2021, this Iranian government-sponsored APT group has exploited Fortinet FortiOS vulnerabilities (CVE-2020-12812CVE-2019-5591, and CVE-2018-13379) and a Microsoft Exchange ProxyShell vulnerability (CVE-2021-34473) to gain initial access to systems and deploy double-extortion ransomware. Therefore, this APT group is exfiltrating data in addition to encrypting files. The main target sector is the critical infrastructure sector, including transportation and public health.

In this blog, we analyzed tactics, techniques, and procedures utilized by this APT group to understand their attack methods and impact.

Tactics, Techniques, and Procedures (TTPs) used by the APT group

This section presents malicious behaviors of the Iranian government-sponsored APT group by categorizing them using the MITRE ATT&CK framework version 10.1.

1.Initial Access


1.1     MITRE ATT&CK T1190  Exploit Public-Facing Application

These Iranian government-sponsored APT actors exploit the following vulnerabilities to gain access to target environments:

CVE

Affected Products

Impact

CVSS 3.1 Base Score

CVE-2020-12812

SSL VPN in FortiOS 6.4.0, 6.2.0 to 6.2.3, 6.0.9 and below

Improper Authentication, Operational Risk

9.8 Critical

CVE-2019-5591

Fortigate FortiOS 6.2.0 and below

Information Disclosure

6.5 Medium

CVE-2018-13379

FortiOS 6.0 - 6.0.0 to 6.0.4

FortiOS 5.6 - 5.6.3 to 5.6.7

FortiOS 5.4 - 5.4.6 to 5.4.12

Path Traversal, Information Disclosure

9.8 Critical

CVE-2021-34473

Microsoft Exchange Server 

Remote Code Execution

9.8 Critical

2.Execution


2.1     MITRE ATT&CK T1047 Windows Management Instrumentation

Windows Management Instrumentation (WMI) is the infrastructure for management data and operations on Windows-based operating systems. Adversaries abuse WMI to execute a wide range of functions.

The threat actor has used SharpWMI, a C# implementation of various WMI functionality, including local/remote WMI queries, remote WMI process creation through win32_process, and remote execution of arbitrary VBS through WMI event subscriptions.

2.2MITRE ATT&CK T1053.005 Scheduled Task/Job: Scheduled Task

The threat group has used task XML files named GoogleChangeManagement.xml and MicrosoftOutlookUpdater.xml to create scheduled tasks for executing malicious payloads. They have used the following task URIs: SynchronizeTimeZone, GoogleChangeManagement, MicrosoftOutLookUpdater, and MicrosoftOutLookUpdateSchedule.


3.Credential Access


3.1.    MITRE ATT&CK T1003 OS Credential Dumping

The APT group has used the Mimikatz tool to obtain username and password information useful in gaining access to additional systems in the target network.

4.Privilege Escalation

The APT actor has used WinPEAS, a script that searches for possible paths to escalate privileges on Windows hosts.

5.Collection

5.1.    MITRE ATT&CK T1560.001 Archive Collected Data: Archive via Utility

Utilizing third-party utilities, adversaries compress or encrypt data collected prior to exfiltration. This APT group has used WinRAR to archive collected data. 

6.Exfiltration

6.1.    MITRE ATT&CK T1048 Exfiltration Over Alternative Protocol

This threat actor has used File Transfer Protocol (FTP) over port 443 to exfiltrate collected data.

7.Impact

7.1.    MITRE ATT&CK T1486 Data Encrypted for Impact

Threat actors may encrypt data on target systems or on a large number of systems connected to a network to disrupt the system and network resource availability. They can make stored data unusable by encrypting files or data on local and remote drives, which is typical behavior of ransomware. The government-sponsored APT actor  has forced BitLocker activation to encrypt data. 

How Picus Helps Simulate and Prevent the BlackMatter Ransomware

We strongly suggest simulating APT groups to test the effectiveness of your security controls against their attacks using the Picus Security Control Validation Platform.  

Picus Threat Library includes the following threats for the vulnerabilities used by the APT group. It contains 2000+ vulnerability exploitation and endpoint attacks in addition to 11.000+ other threats as of November 18, 2021.

Picus ID

Threat Name

CVE

545960

Fortinet FortiGate SSL VPN Arbitrary File Read Variant-1

CVE-2018-13379

666315

ProxyShell URL Normalization Bypass via AutoDiscover Endpoint Variant-1

CVE-2021-34473

440644

ProxyShell URL Normalization Bypass via AutoDiscover Endpoint Variant-2

CVE-2021-34473

319119

ProxyShell URL Normalization Bypass via AutoDiscover Endpoint Variant-3

CVE-2021-34473

Picus Threat Library also includes attacks for post-compromise malicious behavior of attackers. Moreover, Picus Mitigation Library provides ready-to-use vendor-specific or vendor-agnostic detection rules for each TTP for building a proactive defense against adversaries.

For example, the following table includes a threat simulating credential dumping using the Mimikatz tool and a detection rule in the Picus Mitigation Library that detects this threat.

Picus Threat Library - Threat

Picus Mitigation Library - Detection Rule

393510 Credential Dumping using Mimikatz Tool

4920 Password and Hash Dump via Mimikatz

 

Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address exploits used by the APT group.

Security Control

Signature ID

Signature Name

FortiGate IPS

50695

web_app3: MS.Exchange.Server.Common.Access.Token.Privilege.Elevation

FortiGate IPS

50584

web_app3: MS.Exchange.Server.CVE-2021-34473.Remote.Code.Execution

Snort IPS

1.58249.2

SERVER-WEBAPP Microsoft Exchange server security feature bypass attempt

Snort IPS

1.57907.4

SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt

Snort IPS

1.57907.3

SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt

Palo Alto Networks NGFW

91368

Microsoft Exchange Server SSRF Vulnerability

Palo Alto Networks NGFW

91651

Microsoft Exchange EwsAutodiscoverProxyRequestHandler Server Side Request Forgery Vulnerability

F5 Advanced Web Application Firewall

200018137

Microsoft Exchange ProxyShell SSRF

F5 Advanced Web Application Firewall

200018136

Microsoft Exchange ProxyShell Privilege Escalation

McAfee’s Network Security Platform (IPS)

0x45298b00

HTTP: Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-34473)

Forcepoint NGFW

 

HTTP_CRL-Microsoft-Exchange-SSRF-CVE-2021-34473

Cisco Firepower NGFW

1.58249.2

SERVER-WEBAPP Microsoft Exchange server security feature bypass attempt

Cisco Firepower NGFW

1.57907.4

SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt

Trend Micro TippingPoint IPS

39522

HTTP: Microsoft Exchange Server Autodiscover SSRF Vulnerability (PWN2OWN ZDI-21-821)

 

IOCs (Indicators of Compromise)

SHA256 Hashes

c51fe5073bd493c7e8d83365aace3f9911437a0f2ae80042ba01ea46b55d2624

3A08D0CB0FF4D95ED0896F22F4DA8755525C243C457BA6273E08453E0E3AC4C4

5C818FE43F05F4773AD20E0862280B0D5C66611BB12459A08442F55F148400A6

4C691CCD811B868D1934B4B8E9ED6D5DB85EF35504F85D860E8FD84C547EBF1D

604e7cee9b32160c8e1b4159536e9e50bccc033d36fc8010160a2aea432191e0

28332bdbfaeb8333dad5ada3c10819a1a015db9106d5e8a74beaaf03797511aa

d7982ffe09f947e5b4237c9477af73a034114af03968e3c4ce462a029f072a5a

Created Task URIs

SynchronizeTimeZone

GoogleChangeManagement

MicrosoftOutLookUpdater

MicrosoftOutLookUpdateSchedule

Created Account Names

Support

Help

elie

WADGUtilityAccount





Subscribe

Keep up to date with latest blog posts