More

    Latest Posts

    Mettler Toledo Moisture Analyzers: The Ultimate Solution for Accurate Moisture Analysis

    Moisture analysis is a critical process in many industries, including food, pharmaceuticals, and chemicals. Accurate moisture analysis is essential for ensuring product quality and...

    Urlvoid: Check If A Website Is Malicious/scam Or Safe/legit for Dummies

    Your cost savings are government insured to at the very least $250,000 and also backed by the complete faith and also credit score of...

    Our 5 Ways To Determine If A Website Is Fake, Fraudulent, Or … Diaries

    Nobody has ever obtained their supposed winnings in this fraud. In this variant of the scam, frequently performed through the Web, the vendor is...

    Y2Mate com – The Ultimate Video and Audio Downloader and Converter

    Article Outline: Introduction What is Y2Mate com? Y2Mate.com features Video and audio downloader Video converter Cloud-based system How to use Y2Mate? Step by step...

    Iranian Government-Sponsored APT Actors Compromise Federal Network, Deploy Crypto Miner, Credential Harvester

    Summary

    From mid-June through mid-July 2022, CISA conducted an incident response engagement at a Federal Civilian Executive Branch (FCEB) organization where CISA observed suspected advanced persistent threat (APT) activity. In the course of incident response activities, CISA determined that cyber threat actors exploited the Log4Shell vulnerability in an unpatched VMware Horizon server, installed XMRig crypto mining software, moved laterally to the domain controller (DC), compromised credentials, and then implanted Ngrok reverse proxies on several hosts to maintain persistence. CISA and the Federal Bureau of Investigation (FBI) assess that the FCEB network was compromised by Iranian government-sponsored APT actors.

    CISA and FBI are releasing this Cybersecurity Advisory (CSA) providing the suspected Iranian government-sponsored actors’ tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help network defenders detect and protect against related compromises.

    CISA and FBI encourage all organizations with affected VMware systems that did not immediately apply available patches or workarounds to assume compromise and initiate threat hunting activities. If suspected initial access or compromise is detected based on IOCs or TTPs described in this CSA, CISA and FBI encourage organizations to assume lateral movement by threat actors, investigate connected systems (including the DC), and audit privileged accounts. All organizations, regardless of identified evidence of compromise, should apply the recommendations in the Mitigations section of this CSA to protect against similar malicious cyber activity.

    For more information on Iranian government-sponsored Iranian malicious cyber activity, see CISA’s Iran Cyber Threat Overview and Advisories webpage and FBI’s Iran Threats webpage.

    Download the PDF version of this report: pdf, 528 kb.

    For a downloadable copy of the Malware Analysis Report (MAR) accompanying this report, see: MAR 10387061-1.v1.

    For a downloadable copy of IOCs, see: AA22-320A.stix, 1.55 mb.

    Technical Details

    Note: This advisory uses the MITRE ATT&CK for Enterprise framework, version 11. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK® tactics and techniques with corresponding mitigation and/or detection recommendations.

    Overview

    In April 2022, CISA conducted retrospective analysis using EINSTEIN—an FCEB-wide intrusion detection system (IDS) operated and monitored by CISA—and identified suspected APT activity on an FCEB organization’s network. CISA observed bi-directional traffic between the network and a known malicious IP address associated with exploitation of the Log4Shell vulnerability (CVE-2021-44228) in VMware Horizon servers. In coordination with the FCEB organization, CISA initiated threat hunting incident response activities; however, prior to deploying an incident response team, CISA observed additional suspected APT activity. Specifically, CISA observed HTTPS activity from IP address 51.89.181[.]64 to the organization’s VMware server. Based on trusted third-party reporting, 51.89.181[.]64 is a Lightweight Directory Access Protocol (LDAP) server associated with threat actors exploiting Log4Shell. Following HTTPS activity, CISA observed a suspected LDAP callback on port 443 to this IP address. CISA also observed a DNS query for us‐nation‐ny[.]cf that resolved back to 51.89.181[.]64 when the victim server was returning this Log4Shell LDAP callback to the actors’ server.

    CISA assessed that this traffic indicated a confirmed compromise based on the successful callback to the indicator and informed the organization of these findings; the organization investigated the activity and found signs of compromise. As trusted-third party reporting associated Log4Shell activity from 51.89.181[.]64 with lateral movement and targeting of DCs, CISA suspected the threat actors had moved laterally and compromised the organization’s DC.

    From mid-June through mid-July 2022, CISA conducted an onsite incident response engagement and determined that the organization was compromised as early as February 2022, by likely Iranian government-sponsored APT actors who installed XMRig crypto mining software. The threat actors also moved laterally to the domain controller, compromised credentials, and implanted Ngrok reverse proxies.

    Admin Mail : [email protected]