9.3 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
0.976 High
EPSS
Percentile
100.0%
From mid-June through mid-July 2022, CISA conducted an incident response engagement at a Federal Civilian Executive Branch (FCEB) organization where CISA observed suspected advanced persistent threat (APT) activity. In the course of incident response activities, CISA determined that cyber threat actors exploited the Log4Shell vulnerability in an unpatched VMware Horizon server, installed XMRig crypto mining software, moved laterally to the domain controller (DC), compromised credentials, and then implanted Ngrok reverse proxies on several hosts to maintain persistence. CISA and the Federal Bureau of Investigation (FBI) assess that the FCEB network was compromised by Iranian government-sponsored APT actors.
CISA and FBI are releasing this Cybersecurity Advisory (CSA) providing the suspected Iranian government-sponsored actors’ tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help network defenders detect and protect against related compromises.
CISA and FBI encourage all organizations with affected VMware systems that did not immediately apply available patches or workarounds to assume compromise and initiate threat hunting activities. If suspected initial access or compromise is detected based on IOCs or TTPs described in this CSA, CISA and FBI encourage organizations to assume lateral movement by threat actors, investigate connected systems (including the DC), and audit privileged accounts. All organizations, regardless of identified evidence of compromise, should apply the recommendations in the Mitigations section of this CSA to protect against similar malicious cyber activity.
For more information on Iranian government-sponsored Iranian malicious cyber activity, see CISA’s Iran Cyber Threat Overview and Advisories webpage and FBI’s Iran Threats webpage.
Download the PDF version of this report: pdf, 528 kb.
For a downloadable copy of the Malware Analysis Report (MAR) accompanying this report, see: MAR 10387061-1.v1.
For a downloadable copy of IOCs, see: AA22-320A.stix, 1.55 mb.
Note: This advisory uses the MITRE ATT&CK for Enterprise framework, version 11. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK® tactics and techniques with corresponding mitigation and/or detection recommendations.
In April 2022, CISA conducted retrospective analysis using EINSTEIN—an FCEB-wide intrusion detection system (IDS) operated and monitored by CISA—and identified suspected APT activity on an FCEB organization’s network. CISA observed bi-directional traffic between the network and a known malicious IP address associated with exploitation of the Log4Shell vulnerability (CVE-2021-44228) in VMware Horizon servers. In coordination with the FCEB organization, CISA initiated threat hunting incident response activities; however, prior to deploying an incident response team, CISA observed additional suspected APT activity. Specifically, CISA observed HTTPS activity from IP address 51.89.181[.]64 to the organization’s VMware server. Based on trusted third-party reporting, 51.89.181[.]64 is a Lightweight Directory Access Protocol (LDAP) server associated with threat actors exploiting Log4Shell. Following HTTPS activity, CISA observed a suspected LDAP callback on port 443 to this IP address. CISA also observed a DNS query for us‐nation‐ny[.]cf that resolved back to 51.89.181[.]64 when the victim server was returning this Log4Shell LDAP callback to the actors’ server.
CISA assessed that this traffic indicated a confirmed compromise based on the successful callback to the indicator and informed the organization of these findings; the organization investigated the activity and found signs of compromise. As trusted-third party reporting associated Log4Shell activity from 51.89.181[.]64 with lateral movement and targeting of DCs, CISA suspected the threat actors had moved laterally and compromised the organization’s DC.
From mid-June through mid-July 2022, CISA conducted an onsite incident response engagement and determined that the organization was compromised as early as February 2022, by likely Iranian government-sponsored APT actors who installed XMRig crypto mining software. The threat actors also moved laterally to the domain controller, compromised credentials, and implanted Ngrok reverse proxies.
In February 2022, the threat actors exploited Log4Shell [T1190] for initial access [TA0001] to the organization’s unpatched VMware Horizon server. As part of their initial exploitation, CISA observed a connection to known malicious IP address 182.54.217[.]2 lasting 17.6 seconds.
The actors’ exploit payload ran the following PowerShell command [T1059.001] that added an exclusion rule to Windows Defender [T1562.001]:
powershell try{Add-MpPreference -ExclusionPath 'C:'; Write-Host ‘added-exclusion’} catch {Write-Host ‘adding-exclusion-failed’ }; powershell -enc “$BASE64 encoded payload to download next stage and execute it”
The exclusion rule allowlisted the entire c:\drive, enabling threat actors to download tools to the c:\drive without virus scans. The exploit payload then downloaded mdeploy.text from 182.54.217[.]2/mdepoy.txt to C:\users\public\mde.ps1 [T1105]. When executed, mde.ps1 downloaded file.zip from 182.54.217[.]2 and removed mde.ps1 from the disk [T1070.004].
file.zip contained XMRig cryptocurrency mining software and associated configuration files.
See MAR 10387061-1.v1 for additional information, including IOCs, on these four files.
After obtaining initial access and installing XMRig on the VMWare Horizon server, the actors used RDP [T1021.001] and the built-in Windows user account DefaultAccount [T1078.001] to move laterally [TA0008] to a VMware VDI-KMS host. Once the threat actor established themselves on the VDI-KMS host, CISA observed the actors download around 30 megabytes of files from transfer[.]sh server associated with 144.76.136[.]153. The actors downloaded the following tools:
The threat actors then executed Mimikatz on VDI-KMS to harvest credentials and created a rogue domain administrator account [T1136.002]. Using the newly created account, the actors leveraged RDP to propagate to several hosts within the network. Upon logging into each host, the actors manually disabled Windows Defender via the Graphical User Interface (GUI) and implanted Ngrok executables and configuration files. The threat actors were able to implant Ngrok on multiple hosts to ensure Ngrok’s persistence should they lose access to a machine during a routine reboot. The actors were able to proxy [T1090] RDP sessions, which were only observable on the local network as outgoing HTTPS port 443 connections to tunnel.us.ngrok[.]com and korgn.su.lennut[.]com (the prior domain in reverse). It is possible, but was not observed, that the threat actors configured a custom domain, or used other Ngrok tunnel domains, wildcarded here as .ngrok[.]com, .ngrok[.]io, ngrok..tunnel[.]com, or korgn..lennut[.]com.
Once the threat actors established a deep foothold in the network and moved laterally to the domain controller, they executed the following PowerShell command on the Active Directory to obtain a list of all machines attached to the domain [T1018]:
Powershell.exe get-adcomputer -filter * -properties * | select name,operatingsystem,ipv4address >
The threat actors also changed the password for the local administrator account [T1098] on several hosts as a backup should the rogue domain administrator account get detected and terminated. Additionally, the threat actor was observed attempting to dump the Local Security Authority Subsystem Service (LSASS) process [T1003.001] with task manager but this was stopped by additional anti-virus the FCEB organization had installed.
See table 1 for all referenced threat actor tactics and techniques in this advisory, as well as corresponding detection and/or mitigation recommendations. For additional mitigations, see the Mitigations section.
Table 1: Cyber Threat Actors ATT&CK Techniques for Enterprise
Initial Access
Technique Title
|
ID
|
Use
|
Recommendations
Exploit Public-Facing Application
|
|
The actors exploited Log4Shell for initial access to the organization’s VMware Horizon server.
|
Mitigation/Detection: Use a firewall or web-application firewall and enable logging to prevent and detect potential Log4Shell exploitation attempts [M1050].
Mitigation: Perform regular vulnerability scanning to detect Log4J vulnerabilities and update Log4J software using vendor provided patches [M1016],[M1051].
Execution
Technique Title
|
ID
|
Use
|
Recommendation
Command and Scripting Interpreter: PowerShell
|
|
The actors ran PowerShell commands that added an exclusion rule to Windows Defender.
The actors executed PowerShell on the AD to obtain a list of machines on the domain.
|
Mitigation: Disable or remove PowerShell for non-administrative users [M1042],[M1026] or enable code-signing to execute only signed scripts [M1045].
Mitigation: Employ anti-malware to automatically detect and quarantine malicious scripts [M1049].
Persistence
Technique Title
|
ID
|
Use
|
Recommendations
Account Manipulation
|
|
The actors changed the password for the local administrator account on several hosts.
|
Mitigation: Use multifactor authentication for user and privileged accounts [M1032].
Detection: Monitor events for changes to account objects and/or permissions on systems and the domain, such as event IDs 4738, 4728, and 4670. Monitor for modification of accounts in correlation with other suspicious activity [DS0002].
Create Account: Local Account
|
|
The actors’ malware can create local user accounts.
|
Mitigation: Configure access controls and firewalls to limit access to domain controllers and systems used to create and manage accounts.
Detection: Monitor executed commands and arguments for actions that are associated with local account creation, such as net user /add , useradd, and dscl -create [DS0017].
Detection: Enable logging for new user creation [DS0002].
Create Account: Domain Account
|
|
The actors used Mimikatz to create a rogue domain administrator account.
|
Mitigation: Configure access controls and firewalls to limit access to domain controllers and systems used to create and manage accounts.
Detection: Enable logging for new user creation, especially domain administrator accounts [DS0002].
Scheduled Task/Job: Scheduled Task
|
|
The actors’ exploit payload created Scheduled Task RuntimeBrokerService.exe, which executed RuntimeBroker.exe daily as SYSTEM.
|
Mitigation: Configure settings for scheduled tasks to force tasks to run under the context of the authenticated account instead of allowing them to run as SYSTEM [M1028].
Detection: Monitor for newly constructed processes and/or command-lines that execute from the svchost.exe in Windows 10 and the Windows Task Scheduler taskeng.exe for older versions of Windows [DS0009]
Detection: Monitor for newly constructed scheduled jobs by enabling the Microsoft-Windows-TaskScheduler/Operational setting within the event logging service [DS0003].
Valid Accounts: Default Accounts
|
|
The actors used built-in Windows user account DefaultAccount.
|
Mitigation: Change default usernames and passwords immediately after the installation and before deployment to a production environment [M1027].
Detection: Develop rules to monitor logon behavior across default accounts that have been activated or logged into [DS0028].
Defense Evasion
Technique Title
|
ID
|
Use
|
Recommendations
Impair Defenses: Disable or Modify Tools
|
|
The actors added an exclusion rule to Windows Defender. The tool allowlisted the entire c:\drive, enabling the actors to bypass virus scans for tools they downloaded to the c:\drive.
The actors manually disabled Windows Defender via the GUI.
|
Mitigation: Ensure proper user permissions are in place to prevent adversaries from disabling or interfering with security services. [M1018].
Detection: Monitor for changes made to Windows Registry keys and/or values related to services and startup programs that correspond to security tools such as HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender [DS0024].
Detection: Monitor for telemetry that provides context for modification or deletion of information related to security software processes or services such as Windows Defender definition files in Windows and System log files in Linux [DS0013].
Detection: Monitor processes for unexpected termination related to security tools/services [DS0009].
Indicator Removal on Host: File Deletion
|
|
The actors removed malicious file mde.ps1 from the dis.
|
Detection: Monitor executed commands and arguments for actions that could be utilized to unlink, rename, or delete files [DS0017].
Detection: Monitor for unexpected deletion of files from the system [DS0022].
Credential Access
Technique Title
|
ID
|
Use
|
Recommendations
OS Credential Dumping: LSASS Memory
|
|
The actors were observed trying to dump LSASS process.
|
Mitigation: With Windows 10, Microsoft implemented new protections called Credential Guard to protect the LSA secrets that can be used to obtain credentials through forms of credential dumping [M1043]
Mitigation: On Windows 10, enable Attack Surface Reduction (ASR) rules to secure LSASS and prevent credential stealing [M1040].
Mitigation: Ensure that local administrator accounts have complex, unique passwords across all systems on the network [M1027].
Detection: Monitor for unexpected processes interacting with LSASS.exe. Common credential dumpers such as Mimikatz access LSASS.exe by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details are stored. [DS0009].
Detection: Monitor executed commands and arguments that may attempt to access credential material stored in the process memory of the LSASS [DS0017].
Credentials from Password Stores
|
|
The actors used Mimikatz to harvest credentials.
|
Mitigation: Organizations may consider weighing the risk of storing credentials in password stores and web browsers. If system, software, or web browser credential disclosure is a significant concern, technical controls, policy, and user training may be used to prevent storage of credentials in improper locations [M1027].
Detection: Monitor for processes being accessed that may search for common password storage locations to obtain user credentials [DS0009].
Detection: Monitor executed commands and arguments that may search for common password storage locations to obtain user credentials [DS0017].
Discovery
Technique Title
|
ID
|
Use
|
Recommendations
Remote System Discovery
|
|
The actors executed a PowerShell command on the AD to obtain a list of all machines attached to the domain.
|
Detection: Monitor executed commands and arguments that may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for lateral movement [DS0017].
Detection: Monitor for newly constructed network connections associated with pings/scans that may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for lateral movement [DS0029].
Detection: Monitor for newly executed processes that can be used to discover remote systems, such as ping.exe and tracert.exe, especially when executed in quick succession [DS0009].
System Network Configuration Discovery: Internet Connection Discovery
|
|
The actors’ malware tests for internet connectivity by pinging 8.8.8.8.
|
Mitigation: Monitor executed commands, arguments [DS0017] and executed processes (e.g., tracert or ping) [DS0009] that may check for internet connectivity on compromised systems.
Lateral Movement
Technique Title
|
ID
|
Use
|
Recommendations
Remote Services: Remote Desktop Protocol
|
|
The actors used RDP to move laterally to multiple hosts on the network.
|
Mitigation: Use MFA for remote logins [M1032].
Mitigation: Disable the RDP service if it is unnecessary [M1042].
Mitigation: Do not leave RDP accessible from the internet. Enable firewall rules to block RDP traffic between network security zones within a network [M1030].
Mitigation: Consider removing the local Administrators group from the list of groups allowed to log in through RDP [M1026].
Detection: Monitor for user accounts logged into systems associated with RDP (ex: Windows EID 4624 Logon Type 10). Other factors, such as access patterns (ex: multiple systems over a relatively short period of time) and activity that occurs after a remote login, may indicate suspicious or malicious behavior with RDP [DS0028].
Command and Control
Technique Title
|
ID
|
Use
|
Recommendations
Proxy
|
|
The actors used Ngrok to proxy RDP connections and to perform command and control.
|
Mitigation: Traffic to known anonymity networks and C2 infrastructure can be blocked through the use of network allow and block lists [M1037].
Detection: Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g., extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure) [DS0029].
Ingress Tool Transfer
|
|
The actors downloaded malware and multiple tools to the network, including PsExec, Mimikatz, and Ngrok.
|
Mitigation: Employ anti-malware to automatically detect and quarantine malicious scripts [M1049].
If suspected initial access or compromise is detected based on IOCs or TTPs in this CSA, CISA encourages organizations to assume lateral movement by threat actors and investigate connected systems and the DC.
CISA recommends organizations apply the following steps before applying any mitigations, including patching.
CISA and FBI recommend implementing the mitigations below and in Table 1 to improve your organization’s cybersecurity posture on the basis of threat actor behaviors.
In addition to applying mitigations, CISA and FBI recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA and FBI recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.
To get started:
CISA and FBI recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.
[1] MITRE ATT&CK Version 11: Software – Ngrok
Initial Version: November 16, 2022
attack.mitre.org/datasources/DS0017/#Command%20Execution
attack.mitre.org/software/S0029/
attack.mitre.org/techniques/T1136/001/
attack.mitre.org/versions/v11/datasources/DS0002
attack.mitre.org/versions/v11/datasources/DS0002
attack.mitre.org/versions/v11/datasources/DS0002
attack.mitre.org/versions/v11/datasources/DS0003
attack.mitre.org/versions/v11/datasources/DS0009
attack.mitre.org/versions/v11/datasources/DS0009
attack.mitre.org/versions/v11/datasources/DS0009
attack.mitre.org/versions/v11/datasources/DS0009
attack.mitre.org/versions/v11/datasources/DS0009
attack.mitre.org/versions/v11/datasources/DS0009/#Process%20Creation
attack.mitre.org/versions/v11/datasources/DS0013
attack.mitre.org/versions/v11/datasources/DS0017
attack.mitre.org/versions/v11/datasources/DS0017
attack.mitre.org/versions/v11/datasources/DS0017
attack.mitre.org/versions/v11/datasources/DS0017
attack.mitre.org/versions/v11/datasources/DS0017/#Command%20Execution
attack.mitre.org/versions/v11/datasources/DS0022
attack.mitre.org/versions/v11/datasources/DS0024
attack.mitre.org/versions/v11/datasources/DS0028
attack.mitre.org/versions/v11/datasources/DS0028
attack.mitre.org/versions/v11/datasources/DS0029
attack.mitre.org/versions/v11/datasources/DS0029
attack.mitre.org/versions/v11/matrices/enterprise/
attack.mitre.org/versions/v11/mitigations/M1016
attack.mitre.org/versions/v11/mitigations/M1018
attack.mitre.org/versions/v11/mitigations/M1026
attack.mitre.org/versions/v11/mitigations/M1026
attack.mitre.org/versions/v11/mitigations/M1027
attack.mitre.org/versions/v11/mitigations/M1027
attack.mitre.org/versions/v11/mitigations/M1027
attack.mitre.org/versions/v11/mitigations/M1028
attack.mitre.org/versions/v11/mitigations/M1030
attack.mitre.org/versions/v11/mitigations/M1032
attack.mitre.org/versions/v11/mitigations/M1032
attack.mitre.org/versions/v11/mitigations/M1037
attack.mitre.org/versions/v11/mitigations/M1040
attack.mitre.org/versions/v11/mitigations/M1042
attack.mitre.org/versions/v11/mitigations/M1042
attack.mitre.org/versions/v11/mitigations/M1043
attack.mitre.org/versions/v11/mitigations/M1045
attack.mitre.org/versions/v11/mitigations/M1049
attack.mitre.org/versions/v11/mitigations/M1049
attack.mitre.org/versions/v11/mitigations/M1050
attack.mitre.org/versions/v11/mitigations/M1051
attack.mitre.org/versions/v11/software/S0002/
attack.mitre.org/versions/v11/software/S0508/
attack.mitre.org/versions/v11/software/S0508/
attack.mitre.org/versions/v11/software/S0508/
attack.mitre.org/versions/v11/tactics/TA0008/
attack.mitre.org/versions/v11/techniques/T1003/001
attack.mitre.org/versions/v11/techniques/T1003/001
attack.mitre.org/versions/v11/techniques/T1016/001/
attack.mitre.org/versions/v11/techniques/T1016/001/
attack.mitre.org/versions/v11/techniques/T1018
attack.mitre.org/versions/v11/techniques/T1018
attack.mitre.org/versions/v11/techniques/T1021/001/
attack.mitre.org/versions/v11/techniques/T1021/001/
attack.mitre.org/versions/v11/techniques/T1053/005
attack.mitre.org/versions/v11/techniques/T1053/005/
attack.mitre.org/versions/v11/techniques/T1059/001/
attack.mitre.org/versions/v11/techniques/T1070/004/
attack.mitre.org/versions/v11/techniques/T1070/004/
attack.mitre.org/versions/v11/techniques/T1078/001/
attack.mitre.org/versions/v11/techniques/T1078/001/
attack.mitre.org/versions/v11/techniques/T1090/
attack.mitre.org/versions/v11/techniques/T1098/
attack.mitre.org/versions/v11/techniques/T1098/
attack.mitre.org/versions/v11/techniques/T1105/
attack.mitre.org/versions/v11/techniques/T1105/
attack.mitre.org/versions/v11/techniques/T1136/001/
attack.mitre.org/versions/v11/techniques/T1136/002/
attack.mitre.org/versions/v11/techniques/T1136/002/
attack.mitre.org/versions/v11/techniques/T1136/002/
attack.mitre.org/versions/v11/techniques/T1190/
attack.mitre.org/versions/v11/techniques/T1555/
attack.mitre.org/versions/v11/techniques/T1562/001/
cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf
kb.vmware.com/s/article/87073
kb.vmware.com/s/article/87073
kb.vmware.com/s/article/87073
kb.vmware.com/s/article/87092
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
support.microsoft.com/en-us/topic/microsoft-security-advisory-update-to-improve-credentials-protection-and-management-may-13-2014-93434251-04ac-b7f3-52aa-9f951c14b649
twitter.com/CISAgov
twitter.com/intent/tweet?text=Iranian%20Government-Sponsored%20APT%20Actors%20Compromise%20Federal%20Network%2C%20Deploy%20Crypto%20Miner%2C%20Credential%20Harvester+https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-320a
www.cisa.gov/known-exploited-vulnerabilities-catalog
www.cisa.gov/uscert/iran
www.cisa.gov/uscert/ncas/analysis-reports/ar22-320a
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-320a&title=Iranian%20Government-Sponsored%20APT%20Actors%20Compromise%20Federal%20Network%2C%20Deploy%20Crypto%20Miner%2C%20Credential%20Harvester
www.fbi.gov/investigate/counterintelligence/the-iran-threat
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-320a
www.oig.dhs.gov/
www.surveymonkey.com/r/CISA-cyber-survey?product=https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-320a
www.usa.gov/
www.vmware.com/security/advisories/VMSA-2021-0028.html
www.vmware.com/security/advisories/VMSA-2021-0028.html
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=Iranian%20Government-Sponsored%20APT%20Actors%20Compromise%20Federal%20Network%2C%20Deploy%20Crypto%20Miner%2C%20Credential%20Harvester&body=www.cisa.gov/news-events/cybersecurity-advisories/aa22-320a
9.3 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
0.976 High
EPSS
Percentile
100.0%