Analytics Story: CISA AA22-257A

Description

The Iranian government-sponsored APT actors are actively targeting a broad range of victims across multiple U.S. critical infrastructure sectors, including the Transportation Sector and the Healthcare and Public Health Sector, as well as Australian organizations.

Why it matters

This advisory updates joint CSA Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities, which provides information on these Iranian government-sponsored APT actors exploiting known Fortinet and Microsoft Exchange vulnerabilities to gain initial access to a broad range of targeted entities in furtherance of malicious activities, including ransom operations. The authoring agencies now judge these actors are an APT group affiliated with the IRGC. Since the initial reporting of this activity in the FBI Liaison Alert System (FLASH) report APT Actors Exploiting Fortinet Vulnerabilities to Gain Access for Malicious Activity from May 2021, the authoring agencies have continued to observe these IRGC-affiliated actors exploiting known vulnerabilities for initial access. In addition to exploiting Fortinet and Microsoft Exchange vulnerabilities, the authoring agencies have observed these APT actors exploiting VMware Horizon Log4j vulnerabilities for initial access. The IRGC-affiliated actors have used this access for follow-on activity, including disk encryption and data extortion, to support ransom operations. The IRGC-affiliated actors are actively targeting a broad range of entities, including entities across multiple U.S. critical infrastructure sectors as well as Australian, Canadian, and United Kingdom organizations. These actors often operate under the auspices of Najee Technology Hooshmand Fater LLC, based in Karaj, Iran, and Afkar System Yazd Company, based in Yazd, Iran. The authoring agencies assess the actors are exploiting known vulnerabilities on unprotected networks rather than targeting specific targeted entities or sectors. This advisory provides observed tactics, techniques, and indicators of compromise (IOCs) that the authoring agencies assess are likely associated with this IRGC-affiliated APT. The authoring agencies urge organizations, especially critical infrastructure organizations, to apply the recommendations listed in the Mitigations section of this advisory to mitigate risk of compromise from these IRGC-affiliated cyber actors.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Detect Mimikatz Using Loaded Images LSASS Memory, OS Credential Dumping TTP
Dump LSASS via procdump Rename LSASS Memory Hunting
Create local admin accounts using net exe Local Account, Create Account TTP
Creation of lsass Dump with Taskmgr LSASS Memory, OS Credential Dumping TTP
Detect Exchange Web Shell Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services TTP
Detect New Local Admin account Local Account, Create Account TTP
Detect Webshell Exploit Behavior Server Software Component, Web Shell TTP
Dump LSASS via comsvcs DLL LSASS Memory, OS Credential Dumping TTP
Dump LSASS via procdump LSASS Memory, OS Credential Dumping TTP
Extraction of Registry Hives Security Account Manager, OS Credential Dumping TTP
Randomly Generated Scheduled Task Name Scheduled Task/Job, Scheduled Task Hunting
Scheduled Task Deleted Or Created via CMD Scheduled Task, Scheduled Task/Job TTP
Schtasks Run Task On Demand Scheduled Task/Job TTP
Short Lived Scheduled Task Scheduled Task TTP
W3WP Spawning Shell Server Software Component, Web Shell TTP
Windows Hidden Schedule Task Settings Scheduled Task/Job TTP
Windows Possible Credential Dumping LSASS Memory, OS Credential Dumping TTP
Windows Protocol Tunneling with Plink Protocol Tunneling, SSH TTP
WinEvent Scheduled Task Created to Spawn Shell Scheduled Task, Scheduled Task/Job TTP
WinEvent Scheduled Task Created Within Public Path Scheduled Task, Scheduled Task/Job TTP
WinEvent Windows Task Scheduler Event Action Started Scheduled Task Hunting
Log4Shell JNDI Payload Injection Attempt Exploit Public-Facing Application, External Remote Services Anomaly

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Nginx Access N/A nginx:plus:kv /var/log/nginx/access.log
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 10 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 7 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4698 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4699 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4720 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4732 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log TaskScheduler 200 Windows icon Windows wineventlog WinEventLog:Microsoft-Windows-TaskScheduler/Operational

References


Source: GitHub | Version: 1