{"id":6162,"date":"2022-11-16T17:18:36","date_gmt":"2022-11-16T17:18:36","guid":{"rendered":"https:\/\/sajinshivdas.com\/security\/?p=6162"},"modified":"2023-03-27T08:33:45","modified_gmt":"2023-03-27T08:33:45","slug":"attackers-with-state-sponsorship-in-iran-break-into-us-government-network-and-release-cryptominer-and-password-stealer","status":"publish","type":"post","link":"https:\/\/sajinshivdas.com\/cybersecurity\/attackers-with-state-sponsorship-in-iran-break-into-us-government-network-and-release-cryptominer-and-password-stealer\/","title":{"rendered":"Attackers with State Sponsorship in Iran Break Into US Government Network and Release Cryptominer and Password Stealer"},"content":{"rendered":"[vc_row type=”in_container” full_screen_row_position=”middle” column_margin=”default” column_direction=”default” column_direction_tablet=”default” column_direction_phone=”default” scene_position=”center” text_color=”dark” text_align=”left” row_border_radius=”none” row_border_radius_applies=”bg” overflow=”visible” overlay_strength=”0.3″ gradient_direction=”left_to_right” shape_divider_position=”bottom” bg_image_animation=”none”][vc_column column_padding=”no-extra-padding” column_padding_tablet=”inherit” column_padding_phone=”inherit” column_padding_position=”all” column_element_direction_desktop=”default” column_element_spacing=”default” desktop_text_alignment=”default” tablet_text_alignment=”default” phone_text_alignment=”default” background_color_opacity=”1″ background_hover_color_opacity=”1″ column_backdrop_filter=”none” column_shadow=”none” column_border_radius=”none” column_link_target=”_self” column_position=”default” gradient_direction=”left_to_right” overlay_strength=”0.3″ width=”1\/1″ tablet_width_inherit=”default” animation_type=”default” bg_image_animation=”none” border_type=”simple” column_border_width=”none” column_border_style=”solid”][vc_column_text]When CISA discovered what it believed to be advanced persistent threat (APT) activity at a Federal Civilian Executive Branch (FCEB) entity between the middle of June through the middle of July 2022, it launched an incident response engagement. Responding to an incident, CISA discovered that attackers had used a Log4Shell flaw in an unpatched VMware Horizon server to install crypto mining software, laterally moved to the domain controller (DC), compromised credentials, and implanted Ngrok reverse proxies on several hosts to maintain persistence. The FCEB network was hacked by Iranian government-backed APT actors, according to the Computer Security Industry Association (CISA) and the Federal Bureau of Investigation (FBI).[\/vc_column_text][vc_column_text]Cybersecurity Information Sharing and Analysis Center (CISAC) and Federal Bureau of Investigation (FBI) have released a Cybersecurity Advisory (CSA) detailing the tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) of the Iranian government-sponsored actors, with the goal of assisting network defenders in detecting and preventing related compromises.[\/vc_column_text][vc_column_text]The Computer Security Industry Association (CISA) and the Federal Bureau of Investigation (FBI) advise that any company using vulnerable VMware systems that has not yet applied the necessary patches or workarounds should assume compromise and begin threat hunting immediately. Assume lateral movement by threat actors, investigate connected systems (including the DC), and conduct privileged account audits if suspected initial access or compromise is detected based on IOCs or TTPs described in this CSA, as recommended by CISA and the FBI. The Mitigations section of this CSA should be applied by all organizations to safeguard against similar malicious cyber activity, regardless of whether or not evidence of compromise has been found.[\/vc_column_text][vc_column_text]For more information on Iranian government-sponsored Iranian malicious cyber activity, see CISA\u2019s\u00a0Iran Cyber Threat Overview and Advisories<\/a>\u00a0webpage and FBI\u2019s\u00a0Iran Threats<\/a>\u00a0webpage.[\/vc_column_text][divider line_type=”No Line” custom_height=”10″][\/vc_column][\/vc_row][vc_row type=”in_container” full_screen_row_position=”middle” column_margin=”default” column_direction=”default” column_direction_tablet=”default” column_direction_phone=”default” scene_position=”center” text_color=”dark” text_align=”left” row_border_radius=”none” row_border_radius_applies=”bg” overflow=”visible” overlay_strength=”0.3″ gradient_direction=”left_to_right” shape_divider_position=”bottom” bg_image_animation=”none”][vc_column column_padding=”no-extra-padding” column_padding_tablet=”inherit” column_padding_phone=”inherit” column_padding_position=”all” column_element_direction_desktop=”default” column_element_spacing=”default” desktop_text_alignment=”default” tablet_text_alignment=”default” phone_text_alignment=”default” background_color_opacity=”1″ background_hover_color_opacity=”1″ column_backdrop_filter=”none” column_shadow=”none” column_border_radius=”none” column_link_target=”_self” column_position=”default” gradient_direction=”left_to_right” overlay_strength=”0.3″ width=”1\/1″ tablet_width_inherit=”default” animation_type=”default” bg_image_animation=”none” border_type=”simple” column_border_width=”none” column_border_style=”solid”][heading]\n

Technical Details<\/h2>\n[\/heading][vc_column_text]Please take note that MITRE ATT&CK for Enterprise, Version 11 is used in this advisory. Threat actors’ actions are tabulated according to MITRE ATT&CK\u00ae tactics and techniques, with mitigation and detection suggestions provided in the table provided in the MITRE ATT&CK Tactics and Techniques section.[\/vc_column_text][vc_custom_heading text=”Overview” font_container=”tag:h4|text_align:left”][vc_column_text]CISA conducted a retrospective analysis in April 2022 using EINSTEIN, an FCEB-wide intrusion detection system (IDS) operated and monitored by CISA, and found evidence of possible APT activity on the network of an FCEB organization. CISA discovered two-way communication between the network and a malicious IP address linked to attacks on VMware Horizon servers using the Log4Shell vulnerability (CVE-2021-44228). Threat hunting incident response efforts were launched by CISA in collaboration with the FCEB organization; nevertheless, more suspected APT activity was spotted by CISA before the deployment of an incident response team. CISA saw traffic from the IP address 51.89.181[.]64 using HTTPS to access the VMware server. Trusted third-party reporting indicates that the LDAP server located at 51.89.181[.]64 is used by threat actors who exploit Log4Shell. CISA discovered a possible LDAP callback to this IP address on port 443 after HTTPS traffic. The victim server returned this Log4Shell LDAP callback to the actors’ server, and CISA saw a DNS query for usnationny[.]cf resolve back to 51.89.181.64 during this time.[\/vc_column_text][vc_column_text]Based on the successful callback to the indicator, CISA concluded that this traffic indicated a confirmed compromise and reported its findings to the organization, which subsequently discovered indicators of compromise during an investigation. CISA suspected the threat actors had compromised the organization’s DC after receiving reports that linked activity on 51.89.181[. ]64’s Log4Shell server to lateral movement and the targeting of DCs.<\/p>\n

CISA conducted an onsite incident response engagement from the middle of June to the middle of July 2022, during which time it discovered that the company had been compromised as early as February 2022, most likely by APT actors sponsored by the Iranian government who installed XMRig crypto mining software. The attackers compromised credentials and implanted Ngrok reverse proxies before laterally spreading to the domain controller.[\/vc_column_text][vc_custom_heading text=”Threat Actor Activity” font_container=”tag:h4|text_align:left”][vc_column_text]Attackers gained access [TA0001] to an unpatched VMware Horizon server in the company in February 2022 by exploiting Log4Shell [T1190]. CISA discovered an initial exploit that involved a 17.6-second connection to the malicious IP address 182.54.217[. ]2.<\/p>\n

The following PowerShell command [T1059.001] was executed as part of the exploit payload, which added an exclusion tool to Windows Defender [T1562.001]:[\/vc_column_text][vc_column_text]\n

I am text block. Click edit button to change this text. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.<\/p>\n[\/vc_column_text][nectar_scrolling_text scroll_direction=”ltr” scroll_speed=”slower” style=”default” text_repeat_number=”2″ text_repeat_divider=”none” overflow=”hidden” background_image_animation=”None”]powershell try{Add-MpPreference -ExclusionPath ‘C:\\’; Write-Host ‘added-exclusion’} catch {Write-Host ‘adding-exclusion-failed’ }; powershell -enc “$BASE64 encoded payload to download next stage and execute it”[\/nectar_scrolling_text][vc_column_text]The exclusion tool allowlisted the entire\u00a0c:\\drive, enabling threat actors to download tools to the\u00a0c:\\drive\u00a0without virus scans. The exploit payload then downloaded\u00a0mdeploy.text\u00a0from\u00a0182.54.217[.]2\/mdepoy.txt\u00a0to\u00a0C:\\users\\public\\mde.ps1\u00a0[T1105]. When executed, mde.ps1 downloaded\u00a0file.zip\u00a0from\u00a0182.54.217[.]2\u00a0and removed\u00a0mde.ps1\u00a0from the disk [T1070.004<\/a>].<\/p>\n

file.zip\u00a0contained XMRig cryptocurrency mining software and associated configuration files.<\/p>\n