Nov 17, 2022

SafeBreach Coverage for US-CERT Alert (AA22-320A) – Iranian State-Sponsored APT Actors

On November 16, Cybersecurity Infrastructure Security Agency (CISA) released findings of their incident response investigation highlighting the observed suspected advanced persistent threat (APT) activity at a Federal Civilian Executive Branch (FCEB) organization. Details of this investigation (along with attacker TTPs and IOCs) were made available via US-CERT Alert (AA22-320A) Iranian Government-Sponsored APT Actors Compromise Federal Network, Deploy Crypto Miner, Credential Harvester.

According to the advisory, CISA’s investigation (performed between mid-June and mid-July 2022) revealed that threat actors exploited the Log4Shell vulnerability in a VMware Horizon server. These threat actors then installed the XMRig—a crypto-mining software, moved laterally to a domain controller (DC), compromised credentials, and then implanted Ngrok reverse proxies on several hosts in the network to maintain an ongoing presence. CISA and the Federal Bureau of Investigation (FBI) determined this breach and compromise was the handiwork of Iranian government-sponsored APT actors.

Additional Details

The investigation revealed the following:

  • In February 2022, the threat actors exploited Log4Shell for initial access to the organization’s unpatched VMware Horizon server. As part of their initial exploitation, CISA observed a connection to a known malicious IP address 182.54.217[.]2 lasting 17.6 seconds.
  • The actors’ exploit payload ran a PowerShell command to add an exclusion rule to Windows Defender. The exclusion rule allowed listing the entire c:\drive, enabling threat actors to download tools to the c:\drive without virus scans.  
  • The payload included a zip file containing XMRig cryptocurrency mining software and associated configuration files.
  • By exploiting Log4Shell, the actors gained access to a VMware service account with administrator and system-level access.
  • After obtaining initial access and installing XMRig on the VMWare Horizon server, the actors used RDP and the built-in Windows user account DefaultAccount to move laterally to a VMware VDI-KMS (Virtual Desktop Infrastructure-Key Management Host) host. Once the threat actors established themselves on the VDI-KMS host, CISA observed the actors download around 30 megabytes of files including PSExec (a Microsoft signed tool for sys admins), Mimikatz (a credential theft tool), and Ngrok (a reverse proxy tool).
  • The threat actors then executed Mimikatz on VDI-KMS to harvest credentials and created a rogue domain administrator account. Using the newly created account, the actors leveraged RDP to propagate to several hosts within the network. Upon logging into each host, the actors manually disabled Windows Defender via the Graphical User Interface (GUI) and implanted Ngrok executables and configuration files. The threat actors were able to implant Ngrok on multiple hosts to ensure Ngrok’s persistence should they lose access to a machine during a routine reboot.
  • Once the threat actors established a deep foothold in the network and moved laterally to the domain controller, they executed PowerShell commands on the Active Directory to obtain a list of all machines attached to the domain.

Important Note for SafeBreach Customers – Coverage for AA22-320A

As soon as details and IOCs were made available, corresponding new attacks were immediately added to the SafeBreach Hacker’s Playbook™ on November 17. It is important to note that some of the attack TTPs used by these threat actors were already available in the SafeBreach playbook. SafeBreach customers already had an existing level of protection against these threat actors if their security controls were validated against these known TTPs. NOTE: For a more comprehensive level of coverage against Iranian Government-Sponsored APT groups, we would also recommend validating your security controls against the various attacks listed in the advisory for US-CERT AA22-174A and US-CERT AA22-257A.

5 newly added playbook methods for US-CERT Alert AA22-320A:

  • #8010 Write XMRig driver malware to disk (host level)
  • #8011 Transfer of XMRig driver malware over HTTP/S (lateral movement)
  • #8012 Transfer of XMRig driver malware over HTTP/S (infiltration)
  • #8013 Email XMRig driver malware as a ZIP attachment (lateral movement)
  • #8014 Email XMRig driver malware as a ZIP attachment (infiltration)

40+ previously available playbook attacks for AA22-320A:

  • XMRig Attacks
    • #4949 Pre-execution phase of XMRig malware (host level)
    • #4950 Write XMRig malware to disk (host level)
    • #4951 Transfer of XMRig malware over HTTP/S (lateral movement)
    • #4952 Transfer of XMRig malware over HTTP/S (infiltration)
    • #4953 Email XMRig malware as a ZIP attachment (lateral movement)
    • #4954 Email XMRig malware as a ZIP attachment (infiltration)
    • #7153 Pre-execution phase of XMRIG Cryptominer malware (host level)
    • #7154 Write XMRIG Cryptominer malware to disk (host level)
    • #7155 Transfer of XMRIG Cryptominer malware over HTTP/S (lateral movement)
    • #7156 Transfer of XMRIG Cryptominer malware over HTTP/S (infiltration)
    • #7157 Email XMRIG Cryptominer malware as a ZIP attachment (lateral movement)
    • #7158 Email XMRIG Cryptominer malware as a ZIP attachment (infiltration)
    • #7159 Pre-execution phase of XMRIG Cryptominer-2 malware (host level)
    • #7160 Write XMRIG Cryptominer-2 malware to disk (host level)
    • #7161 Transfer of XMRIG Cryptominer-2 malware over HTTP/S (lateral movement)
    • #7162 Transfer of XMRIG Cryptominer-2 malware over HTTP/S (infiltration)
    • #7163 Email XMRIG Cryptominer-2 malware as a ZIP attachment (lateral movement)
    • #7164 Email XMRIG Cryptominer-2 malware as a ZIP attachment (infiltration)
  • Complex Network Attacks
    • #6843 Communication with a real malicious server exploiting CVE-2021-44228 (log4j) using HTTP (infiltration)
    • #6861 Remote exploitation of Apache Log4j vulnerability CVE-2021-44228 (infiltration)
    • #6909 RDP Connection Between 2 Simulators (infiltration)
    • #1220 Inject Mimikatz using PowerShell to Extract Credentials (lateral movement)
    • #1339 Remote command execution by PSExec (lateral movement)
    • #192 Brute force attack over RDP protocol (lateral movement)
    • #2273 Pass the Hash over SMB using Mimikatz (lateral movement)
    • #6843 Communication with a real malicious server exploiting CVE-2021-44228 (log4j) using HTTP (infiltration)
    • #6861 Remote exploitation of Apache Log4j vulnerability CVE-2021-44228 (infiltration)
  • Behavioral Attacks
    • #1269 Creating Windows schedule task (schtasks) (host level)
    • #2164 Scheduled Task (host level)
    • #2170 Create Account (Windows) (host level)
    • #2189 Account Manipulation (host level)
    • #2222 Discover Remote Systems using PowerShell (host level)
    • #2267 Add an exclusion to Windows Defender using PowerShell (host level)
    • #3819 Windows Credentials Collection using LaZagne (host level)
    • #3820 Extract credentials stored in a browser using WebBrowserPassView (host level)
    • #3829 Run obfuscated Mimikatz on host (host level)
    • #6127 Extract LSASS memory dump using PowerShell and Rundll32 (host level)
    • #6514 Carbanak UAC Bypass and Credential Dumping (host level)
    • #6581 Discover domain computers using LDAP method (host level)
    • #6910 RDP Tunneling (host level)
    • #7170 Add a local administrator (Windows) (host level)
    • #794 Extract Login Information using MimiKatz (host level)
    • #6909 RDP Connection Between 2 Simulators (infiltration)
    • #1220 Inject Mimikatz using PowerShell to Extract Credentials (lateral movement)
    • #1339 Remote command execution by PSExec (lateral movement)
    • #192 Brute force attack over RDP protocol (lateral movement)
    • #2273 Pass the Hash over SMB using Mimikatz (lateral movement)
    • #6473 Agentless lateral movement via RDP (host level)
    • #6513 Agentless lateral movement via SMB and RCE using Mimikatz (host level)

What You Should Do Now

Attack methods related to US-CERT Alert AA22-320A are ready to run across your simulators. Select the US-CERT Alert AA22-320A (Iranian Government-Sponsored APT Actors) report from the Known Attack Series report and select Run Simulations, which will run all attack methods.

You can also select all the attacks related to US-CERT Alert AA22-320A by going to the SafeBreach playbook and filtering by Threat Name – US-CERT Alert AA22-320A (Iranian Government-Sponsored APT Actors).

You can also go to the “SafeBreach Scenarios” page and choose the US-CERT Alert AA22-320A (Iranian Government-Sponsored APT Actors) scenario from the list of available scenarios.

NOTE: The following actions have been recommended by CISA and the FBI to mitigate any threat arising from these threat actors:

  • Validate Security Controls – CISA and FBI recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.
  • Install updated builds to ensure affected VMware Horizon and UAG systems are updated to the latest version.
  • Keep all software up to date and prioritize patching known exploited vulnerabilities (KEVs).
  • Minimize the internet-facing attack surface by hosting essential services on a segregated DMZ, ensuring strict network perimeter access controls, and not hosting internet-facing services that are not essential to business operations.
  • Secure credentials by restricting where accounts and credentials can be used.

Get the latest
research and news