Analytics Story: CISA AA24-241A

Date: 2024-10-07 ID: f075adb6-76a6-4476-b24a-ce9d471a1bdc Author: Michael Haag, Splunk Product: Splunk Enterprise Security

Description

This story covers the tactics of Iran-based cyber actors exploiting U.S. and foreign organizations across multiple sectors, as detailed in CISA Alert AA24-241A. It focuses on their methods of gaining initial access, establishing persistence, and enabling ransomware attacks through vulnerabilities in public-facing networking devices.

Why it matters

As of August 2024, Iran-based cyber actors continue to exploit organizations across several U.S. sectors and other countries. The FBI assesses that a significant percentage of these operations aim to obtain network access for collaboration with ransomware affiliates. The actors typically use Shodan to identify vulnerable devices, then exploit public-facing networking equipment such as Citrix Netscaler, F5 BIG-IP, and various VPNs. They deploy webshells, create local accounts, and manipulate existing ones to maintain access. Post-exploitation, they repurpose credentials, disable security software, and use remote access tools. The group collaborates with ransomware affiliates like NoEscape, Ransomhouse, and ALPHV, actively participating in network lockdowns and extortion strategies. Defenders should prioritize patching public-facing devices, monitoring for unauthorized accounts and suspicious PowerShell activity, implementing strong access controls, and regularly reviewing logs for signs of compromise.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Create local admin accounts using net exe Local Account, Create Account TTP
Detect New Local Admin account Local Account, Create Account TTP
Detect Remote Access Software Usage File Remote Access Software Anomaly
Detect Remote Access Software Usage Process Remote Access Software Anomaly
Disable Defender AntiVirus Registry Disable or Modify Tools, Impair Defenses TTP
Possible Lateral Movement PowerShell Spawn Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShell, MMC TTP
PowerShell 4104 Hunting Command and Scripting Interpreter, PowerShell Hunting
Powershell Disable Security Monitoring Disable or Modify Tools, Impair Defenses TTP
Scheduled Task Deleted Or Created via CMD Scheduled Task, Scheduled Task/Job TTP
Suspicious Scheduled Task from Public Directory Scheduled Task, Scheduled Task/Job Anomaly
Windows Abused Web Services Web Service TTP
Windows Create Local Account Local Account, Create Account Anomaly
Windows DISM Install PowerShell Web Access Bypass User Account Control TTP
Windows Enable PowerShell Web Access PowerShell TTP
Windows Identify PowerShell Web Access IIS Pool Exploit Public-Facing Application Hunting
Windows Modify Registry Delete Firewall Rules Modify Registry TTP
Windows Modify Registry to Add or Modify Firewall Rule Modify Registry Anomaly
Windows Ngrok Reverse Proxy Usage Protocol Tunneling, Proxy, Web Service Anomaly
WinEvent Windows Task Scheduler Event Action Started Scheduled Task Hunting
Wsmprovhost LOLBAS Execution Process Spawn Remote Services, Windows Remote Management TTP
Detect Remote Access Software Usage DNS Remote Access Software Anomaly
F5 BIG-IP iControl REST Vulnerability CVE-2022-1388 Exploit Public-Facing Application, External Remote Services TTP
Ngrok Reverse Proxy on Network Protocol Tunneling, Proxy, Web Service Anomaly
Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint Exploit Public-Facing Application TTP
Citrix ADC Exploitation CVE-2023-3519 Exploit Public-Facing Application Hunting
Detect Remote Access Software Usage URL Remote Access Software Anomaly
Ivanti Connect Secure Command Injection Attempts Exploit Public-Facing Application TTP
Ivanti Connect Secure System Information Access via Auth Bypass Exploit Public-Facing Application Anomaly
Windows IIS Server PSWA Console Access Exploit Public-Facing Application Hunting

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Palo Alto Network Threat Network icon Network pan:threat pan:threat
Powershell Script Block Logging 4104 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Suricata N/A suricata suricata
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 12 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 13 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 22 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4648 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4720 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4732 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log TaskScheduler 200 Windows icon Windows wineventlog WinEventLog:Microsoft-Windows-TaskScheduler/Operational
Windows IIS Windows icon Windows IIS:Configuration:Operational IIS:Configuration:Operational

References

Source: GitHub | Version: 2