Attacks and Vulnerabilities
CISA
Critical infrastructure
Malware, Phishing & Ransomware
News

CISA, FBI warns of Iranian state-sponsored actors breaching federal network, deploying crypto miner, credential harvester

November 17, 2022
CISA, FBI warns of Iranian state-sponsored actors breaching federal network, deploying crypto miner, credential harvester

U.S. cybersecurity agencies released a cybersecurity advisory (CSA) covering Iranian government-sponsored suspected advanced persistent threat (APT) hackers that breached a federal civilian executive branch (FCEB) organization and deployed crypto miners and credential harvester. The advisory details suspected Iranian state-sponsored hackers’ tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help network defenders detect and protect against related compromises. 

The CSA, issued by the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) on Wednesday, also included a malware analysis report (MAR) on the mining software that the suspected APT hackers used against the compromised FCEB network. 

The CISA said it obtained four malicious files for analysis during an on-site incident response engagement at the FCEB organization compromised by the Iranian state-sponsored APT hackers. These files have been identified as variants of the XMRIG cryptocurrency mining software. The files include a kernel driver, two Windows executables, and a configuration file to control one of the executable’s behaviors on the network and infected host.

The advisory comes in the wake of the CISA having conducted from mid-June through mid-July an incident response engagement at an FCEB organization where the security agency observed suspected APT activity. “In the course of incident response activities, CISA determined that cyber threat actors exploited the Log4Shell vulnerability in an unpatched VMware Horizon server, installed XMRig crypto mining software, moved laterally to the domain controller (DC), compromised credentials, and then implanted Ngrok reverse proxies on several hosts to maintain persistence. CISA and the Federal Bureau of Investigation (FBI) assess that the FCEB network was compromised by Iranian government-sponsored APT actors,” the advisory added.

The cybersecurity agencies call upon all organizations with affected VMware systems that did not immediately apply available patches or workarounds to assume compromise and initiate threat-hunting activities. “If suspected initial access or compromise is detected based on IOCs or TTPs described in this CSA, CISA and FBI encourage organizations to assume lateral movement by threat actors, investigate connected systems (including the DC), and audit privileged accounts. All organizations, regardless of identified evidence of compromise, should apply the recommendations in the Mitigations section of this CSA to protect against similar malicious cyber activity,” the advisory added.

In April this year, CISA conducted a retrospective analysis using EINSTEIN—an FCEB-wide intrusion detection system (IDS) operated and monitored by the agency and identified suspected APT activity on an FCEB organization’s network. “CISA observed bi-directional traffic between the network and a known malicious IP address associated with exploitation of the Log4Shell vulnerability in VMware Horizon servers. In coordination with the FCEB organization, CISA initiated threat-hunting incident response activities; however, prior to deploying an incident response team, CISA observed additional suspected APT activity,” the advisory said. 

CISA specifically observed HTTPS activity from an IP address to the organization’s VMware server. Based on trusted third-party reporting, that IP address “is a Lightweight Directory Access Protocol (LDAP) server associated with threat actors exploiting Log4Shell. Following HTTPS activity, CISA observed a suspected LDAP callback on port 443 to this IP address,” the advisory revealed. CISA also observed a DNS query for us‐nation‐ny[dot]cf that resolved back to that IP address when the victim server was returning this Log4Shell LDAP callback to the hackers’ server. 

The CSA added that the CISA assessed that this traffic indicated a confirmed compromise based on the successful callback to the indicator and informed the organization of these findings; the organization investigated the activity and found signs of compromise. As a trusted-third party reporting associated Log4Shell activity from the IP address with lateral movement and targeting of DCs, CISA suspected the Iranian state-sponsored hackers had moved laterally and compromised the organization’s DC.

“From mid-June through mid-July 2022, CISA conducted an onsite incident response engagement and determined that the organization was compromised as early as February 2022, by likely Iranian government-sponsored APT actors who installed XMRig crypto mining software,” the advisory said. “The threat actors also moved laterally to the domain controller, compromised credentials, and implanted Ngrok reverse proxies.”

The advisory also disclosed that in February, the hackers exploited Log4Shell for initial access to the organization’s unpatched VMware Horizon server. As part of their initial exploitation, CISA observed a connection to a known malicious IP address lasting 17.6 seconds. The actors’ exploit payload ran a PowerShell command that added an exclusion tool to Windows Defender. The exclusion tool allows listing the entire c:\drive, enabling the Iranian state-sponsored hackers to download tools to the drive without virus scans. 

After obtaining initial access and installing XMRig on the VMWare Horizon server, the hackers used RDP and the built-in Windows user account to move laterally to a VMware VDI-KMS host. Once the hacker established themselves on the VDI-KMS host, CISA observed the hackers download around 30 megabytes of files from the transfer[dot]sh server associated with another IP address. 

The hackers downloaded the PsExec, a Microsoft signed tool for system administrators; Mimikatz, a credential theft tool; and Ngrok, a reverse proxy tool for proxying an internal service out onto a Ngrok domain, which the user can then access at a randomly generated subdomain, the advisory said. “CISA has observed this tool in use by some commercial products for benign purposes; however, this process bypasses typical firewall controls and maybe a potentially unwanted application in production environments. Ngrok is known to be used for malicious purposes,” it added. 

The advisory added that the hackers then executed Mimikatz on VDI-KMS to harvest credentials and created a rogue domain administrator account. Using the newly created account, the Iranian state-sponsored hackers leveraged RDP to propagate to several hosts within the network. “Upon logging into each host, the actors manually disabled Windows Defender via the Graphical User Interface (GUI) and implanted Ngrok executables and configuration files. The threat actors were able to implant Ngrok on multiple hosts to ensure Ngrok’s persistence should they lose access to a machine during a routine reboot,” according to the advisory. 

Subsequently, the hackers were able to proxy RDP sessions, which were only observable on the local network as outgoing HTTPS port 443 connections, the advisory said. Once the hackers established a deep foothold in the network and moved laterally to the domain controller, they executed a PowerShell command on the Active Directory to obtain a list of all machines attached to the domain. They also changed the password for the local administrator account on several hosts as a backup should the rogue domain administrator account get detected and terminated. 

Additionally, the Iranian state-sponsored hackers were observed attempting to dump the Local Security Authority Subsystem Service (LSASS) process with the task manager but this was stopped by additional anti-virus that the FCEB organization had installed, the advisory disclosed. 

The cybersecurity agencies have recommended that organizations apply recommended mitigations and defensive measures, including updating affected VMware Horizon and unified access gateway (UAG) systems to the latest version and minimizing the organization’s internet-facing attack surface. It also suggests exercising, testing, and validating the organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework, and testing the organization’s existing security controls against the ATT&CK techniques.

In June, the CISA and the Coast Guard Cyber Command (CGCYBER) said that cyber hackers, including state-sponsored advanced persistent threat (APT) hackers, have continued to exploit CVE-2021-44228 (Log4Shell) in VMware Horizon and UAG servers. Additionally, cybercriminals breached these loopholes to obtain initial access to organizations that did not apply available patches or workarounds.

The CISA published last month a Binding Operational Directive that calls upon FCEB agencies to make measurable progress toward enhancing visibility into asset discovery and vulnerability enumeration across their networks. The document assesses continuous and comprehensive asset visibility as an essential precondition for any organization to manage cybersecurity risk. It calls for accurate and up-to-date accounting of assets residing on federal networks to manage cybersecurity for FCEB enterprises.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Microsoft debuts ICSpector framework to enable examining information and configurations of industrial PLCs
Microsoft debuts ICSpector framework to enable examining information and configurations of industrial PLCs
TXOne’s Portable Security Pro works towards improving security in ICS environments
TXOne Networks presents SageOne, its new CPS protection platform
Critical Start
Critical Start introduces managed detection and response services for OT environments
Shift5
Shift5 debuts GPS integrity module to combat GPS spoofing risks
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates