Try in Splunk Security Cloud
Description
This story covers the tactics of Iran-based cyber actors exploiting U.S. and foreign organizations across multiple sectors, as detailed in CISA Alert AA24-241A. It focuses on their methods of gaining initial access, establishing persistence, and enabling ransomware attacks through vulnerabilities in public-facing networking devices.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Change, Endpoint, Network_Resolution, Web
- Last Updated: 2024-09-03
- Author: Michael Haag, Splunk
- ID: f075adb6-76a6-4476-b24a-ce9d471a1bdc
Narrative
As of August 2024, Iran-based cyber actors continue to exploit organizations across several U.S. sectors and other countries. The FBI assesses that a significant percentage of these operations aim to obtain network access for collaboration with ransomware affiliates. The actors typically use Shodan to identify vulnerable devices, then exploit public-facing networking equipment such as Citrix Netscaler, F5 BIG-IP, and various VPNs. They deploy webshells, create local accounts, and manipulate existing ones to maintain access. Post-exploitation, they repurpose credentials, disable security software, and use remote access tools. The group collaborates with ransomware affiliates like NoEscape, Ransomhouse, and ALPHV, actively participating in network lockdowns and extortion strategies. Defenders should prioritize patching public-facing devices, monitoring for unauthorized accounts and suspicious PowerShell activity, implementing strong access controls, and regularly reviewing logs for signs of compromise.
Detections
Name |
Technique |
Type |
Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint |
Exploit Public-Facing Application |
TTP |
Citrix ADC Exploitation CVE-2023-3519 |
Exploit Public-Facing Application |
Hunting |
Create local admin accounts using net exe |
Local Account, Create Account |
TTP |
Detect New Local Admin account |
Local Account, Create Account |
TTP |
Detect Remote Access Software Usage DNS |
Remote Access Software |
Anomaly |
Detect Remote Access Software Usage File |
Remote Access Software |
Anomaly |
Detect Remote Access Software Usage Process |
Remote Access Software |
Anomaly |
Detect Remote Access Software Usage URL |
Remote Access Software |
Anomaly |
Disable Defender AntiVirus Registry |
Disable or Modify Tools, Impair Defenses |
TTP |
F5 BIG-IP iControl REST Vulnerability CVE-2022-1388 |
Exploit Public-Facing Application, External Remote Services |
TTP |
Ivanti Connect Secure Command Injection Attempts |
Exploit Public-Facing Application |
TTP |
Ivanti Connect Secure System Information Access via Auth Bypass |
Exploit Public-Facing Application |
Anomaly |
Ngrok Reverse Proxy on Network |
Protocol Tunneling, Proxy, Web Service |
Anomaly |
PowerShell 4104 Hunting |
Command and Scripting Interpreter, PowerShell |
Hunting |
Powershell Disable Security Monitoring |
Disable or Modify Tools, Impair Defenses |
TTP |
Scheduled Task Deleted Or Created via CMD |
Scheduled Task, Scheduled Task/Job |
TTP |
Suspicious Scheduled Task from Public Directory |
Scheduled Task, Scheduled Task/Job |
Anomaly |
WinEvent Windows Task Scheduler Event Action Started |
Scheduled Task |
Hunting |
Windows Abused Web Services |
Web Service |
TTP |
Windows Create Local Account |
Local Account, Create Account |
Anomaly |
Windows DISM Install PowerShell Web Access |
Bypass User Account Control |
TTP |
Windows Enable PowerShell Web Access |
PowerShell |
TTP |
Windows Modify Registry Delete Firewall Rules |
Modify Registry |
TTP |
Windows Modify Registry to Add or Modify Firewall Rule |
Modify Registry |
Anomaly |
Windows Ngrok Reverse Proxy Usage |
Protocol Tunneling, Proxy, Web Service |
Anomaly |
Wsmprovhost LOLBAS Execution Process Spawn |
Remote Services, Windows Remote Management |
TTP |
Reference
source | version: 1