CISA AA22-257A

Try in Splunk Security Cloud

Description

The Iranian government-sponsored APT actors are actively targeting a broad range of victims across multiple U.S. critical infrastructure sectors, including the Transportation Sector and the Healthcare and Public Health Sector, as well as Australian organizations.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint, Web
• Last Updated: 2022-09-15
• Author: Michael Haag, Splunk
• ID: e1aec96e-bc7d-4edf-8ff7-3da9b7b29147

Narrative

This advisory updates joint CSA Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities, which provides information on these Iranian government-sponsored APT actors exploiting known Fortinet and Microsoft Exchange vulnerabilities to gain initial access to a broad range of targeted entities in furtherance of malicious activities, including ransom operations. The authoring agencies now judge these actors are an APT group affiliated with the IRGC. Since the initial reporting of this activity in the FBI Liaison Alert System (FLASH) report APT Actors Exploiting Fortinet Vulnerabilities to Gain Access for Malicious Activity from May 2021, the authoring agencies have continued to observe these IRGC-affiliated actors exploiting known vulnerabilities for initial access. In addition to exploiting Fortinet and Microsoft Exchange vulnerabilities, the authoring agencies have observed these APT actors exploiting VMware Horizon Log4j vulnerabilities for initial access. The IRGC-affiliated actors have used this access for follow-on activity, including disk encryption and data extortion, to support ransom operations. The IRGC-affiliated actors are actively targeting a broad range of entities, including entities across multiple U.S. critical infrastructure sectors as well as Australian, Canadian, and United Kingdom organizations. These actors often operate under the auspices of Najee Technology Hooshmand Fater LLC, based in Karaj, Iran, and Afkar System Yazd Company, based in Yazd, Iran. The authoring agencies assess the actors are exploiting known vulnerabilities on unprotected networks rather than targeting specific targeted entities or sectors. This advisory provides observed tactics, techniques, and indicators of compromise (IOCs) that the authoring agencies assess are likely associated with this IRGC-affiliated APT. The authoring agencies urge organizations, especially critical infrastructure organizations, to apply the recommendations listed in the Mitigations section of this advisory to mitigate risk of compromise from these IRGC-affiliated cyber actors.

Detections

Name	Technique	Type
Create local admin accounts using net exe	Local Account, Create Account	TTP
Creation of lsass Dump with Taskmgr	LSASS Memory, OS Credential Dumping	TTP
Detect Exchange Web Shell	Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services	TTP
Detect Mimikatz Using Loaded Images	LSASS Memory, OS Credential Dumping	TTP
Detect New Local Admin account	Local Account, Create Account	TTP
Detect Webshell Exploit Behavior	Server Software Component, Web Shell	TTP
Dump LSASS via comsvcs DLL	LSASS Memory, OS Credential Dumping	TTP
Dump LSASS via procdump	LSASS Memory, OS Credential Dumping	TTP
Dump LSASS via procdump Rename	LSASS Memory	Hunting
Extraction of Registry Hives	Security Account Manager, OS Credential Dumping	TTP
Log4Shell JNDI Payload Injection Attempt	Exploit Public-Facing Application, External Remote Services	Anomaly
Randomly Generated Scheduled Task Name	Scheduled Task/Job, Scheduled Task	Hunting
Scheduled Task Deleted Or Created via CMD	Scheduled Task, Scheduled Task/Job	TTP
Schtasks Run Task On Demand	Scheduled Task/Job	TTP
Short Lived Scheduled Task	Scheduled Task	TTP
W3WP Spawning Shell	Server Software Component, Web Shell	TTP
WinEvent Scheduled Task Created Within Public Path	Scheduled Task, Scheduled Task/Job	TTP
WinEvent Scheduled Task Created to Spawn Shell	Scheduled Task, Scheduled Task/Job	TTP
WinEvent Windows Task Scheduler Event Action Started	Scheduled Task	Hunting
Windows Hidden Schedule Task Settings	Scheduled Task/Job	TTP
Windows Possible Credential Dumping	LSASS Memory, OS Credential Dumping	TTP
Windows Protocol Tunneling with Plink	Protocol Tunneling, SSH	TTP

Reference

• https://www.cisa.gov/uscert/ncas/alerts/aa21-321a
• https://www.cisa.gov/uscert/ncas/alerts/aa22-257a
• https://www.ic3.gov/Media/News/2021/210527.pdf
• https://www.us-cert.gov/sites/default/files/AA22-257A.stix.xml
• https://www.us-cert.cisa.gov/iran

source | version: 1