Targeted Sectors: Global Critical Infrastructure
On September 14, 2022, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a joint Cybersecurity Advisory (CSA) with analytic input from the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), U.S. Cyber Command (USCC) – Cyber National Mission Force (CNMF), the U.S. Department of the Treasury (Treasury), the Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), and the United Kingdom’s National Cyber Security Centre (NCSC) to highlight continued malicious activity by individuals affiliated with the Iranian Government’s Islamic Revolutionary Guard Corps (IRGC). This alert is an update to a previous CSA, AA21-321A, released in November 2021 that identified activity dating back to March 2021 involving the exploitation of common vulnerabilities allowing IRGC-affiliated actors to use their access for follow-on activity, including disk encryption and data extortion, to support ransom operations.
Of note in this new alert, the coordinating U.S. government agencies and allied governments are now urging organizations to validate their security controls by conducting continuous, automated testing “at scale, in production” aligned to the MITRE ATT&CK framework.
According to the advisory, IRGC-affiliated adversaries are continuing to actively target a broad range of entities, including multiple U.S. critical infrastructure sectors as well as Australian, Canadian, and British organizations. They are exploiting externally facing services using the ProxyShell and Log4Shell vulnerabilities. Once an initial foothold has been achieved, the actors begin to dump credentials, move laterally, and encrypt hosts using BitLocker. A detailed report was published by the DFIR Report in November 2021 that covered the technical details of the techniques and commands executed by the threat actors.
AttackIQ has released a new attack graph emulating the techniques used in these attacks to help customers validate their security controls and their ability to defend against this threat actor and others who follow similar behaviors.
Validating your security program performance against AttackIQ’s new attack graph is paramount in reducing risk. By using the AttackIQ Security Optimization Platform, security teams will be able to:
- Evaluate security control performance against malicious techniques that lead to the mass encryption of critical services.
- Assess their security posture against an actor that doesn’t need to bring down additional backdoors to successfully infiltrate your network.
- Continuously validate detection and prevention pipelines beyond the initial access exploits as new zero-days are discovered.
Attack Graph – [US-CERT AA22-257A] Iranian Threat Actors Leverage Bitlocker for Ransomware Operation
The Iranian actors drop various webshells through the web vulnerability exploits, so our attack graph starts with the saving of one of those payloads to disk. The intruders immediately begin by running a few system discovery commands to learn more about the compromised asset.
Ingress Tool Transfer (T1105): This scenario downloads to memory and saves to disk in two separate scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious webshells. The file used in this scenario is the ASPX xCmd webshell which has been utilized by many different threat actors since 2012.
System Network Configuration Discovery (T1016): The network configuration of the asset is collected using standard Windows utilities like ipconfig, arp, route, and nltest.
System Information Discovery (T1082): The native hostname and systeminfo commands are used to get the infected host’s computer name and basic details about the system.
Internet Connection Discovery (T1016.001): This scenario uses nslookup to lookup an external domain using Google’s DNS (22.214.171.124). The actors utilize this command to determine if they will be able gain outbound access to the internet.
After learning details about the local asset, the actor begins to query for information about the system’s network and the account currently under control from the compromise. These details will be used in later steps to move to additional systems and prepare for their final stages of their attack.
Domain Trust Discovery (T1482): This scenario calls the native nltest utility with the “/trusted_domains“ option to retrieve a list of trusted Active Directory domains associated with this host.
System Network Connections Discovery (T1049): The NETBIOS name table for the host is collected with the “nbtstat -n” command.
Account Discovery: Local Account (T1087.001): A list of local accounts configured on this host is collected by executing the “net user” command. Knowing what other accounts are present on the host will allow the actor to potentially re-use previously known credentials or identify disabled legitimate accounts they can re-enable to blend in with everyday activity.
System Owner/User Discovery (T1033): “query user” and whoami are called to determine what account is the webshell currently operating under.
All of the commands executed by the actor will have been done through a command shell using the installed webshells. The adversary now wants to expand their ability to control the infected host by laying the groundwork to allow full graphical control using Remote Desktop. They first must learn about the administrative groups on the host and create an account they can use for future logins. They also open the host’s firewall to allow Remote Desktop Protocol (RDP) access and download the open-source tool Plink to establish remote tunneling session over SSH which can be used to connect to the RDP session.
Permission Groups Discovery: Local Groups (T1069.001): The actor is interested in finding out the memberships of privileged local groups like Remote Desktop Users and Local Administrators. They accomplish this by executing “net localgroup” lookups.
Create Account: Local Account (T1136.001): In this example of the attacks, the actors needed to create a new account instead of blending in as an existing local account. An account with the name “Default01” is created using “net user”.
Impair Defenses: Disable or Modify System Firewall (T1562.004): Remote Desktop may not be enabled by default through the local system firewall. The threat actors can create new firewall rules to open up ports for local and remote access using the “netsh advfirewall” utility. This scenario opens local port “3389” for inbound access.
Protocol Tunneling (T1572): Plink is a legitimate command line utility that allows for the creation of tunneled SSH sessions. The actors use this utility to tunnel Remote Desktop through the SSH tunnel allowing them graphical access to the host. This scenario tests security controls responsible for blocking outbound SSH connections to external servers.
With a full connection established the actor uses a Scheduled Task to establish persistence of the Plink tunnel and then dumps the LSASS.exe process from memory. This process contains credentials for other accounts on the host including domain administrators. Instead of bringing a malicious tool like Mimikatz to host and risking detection, the actors brought a clean legitimate copy of FileZilla that they could use for data exfiltration. The memory dump is compressed and exfiltrated to a server controlled by the actor so it can be cracked offline.
Scheduled Task/Job: Scheduled Task (T1053.005): This scenario creates a new scheduled task using the schtasks utility with the name “CacheTask” that was observed being used in these attacks.
OS Credential Dumping: LSASS Memory (T1003.001): LSASS memory is dumped to disk by creating a minidump of the “lsass.exe” process. This process is used for enforcing security policy on the system and contains many privileged tokens and accounts that are targeted by threat actors.
Exfiltration Over Unencrypted Non-C2 Protocol (T1048.003): This scenario compresses a LSASS minidump file and exfiltrates it in un-encrypted HTTP traffic to an external server.
The actor then starts the final stages of their attack by scanning for additional servers that it could access with the dumped credentials by searching for hosts with ports open for Remote Desktop (RDP), Windows File Sharing (SMB), or Active Directory (LDAP). An attempt will be made to move to an accessible server where the process would repeat. The final stage is the actor makes registry modifications that would encrypt the local drives with Bitlocker.
Network Service Discovery (T1046): This scenario uses nmap to scan for hosts that are open on ports “139,389,445,636,3389” that would identify remotely accessible hosts to the attacker
Remote Services: Remote Desktop Protocol (T1021.001): Remote Desktop is the built-in remote access utility used by Windows. This scenario attempts to remotely connect to another accessible asset with stolen credentials.
Data Encrypted for Impact (T1486): This scenario sets the “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\RecoveryKeyMessage” to a custom message acting as a ransom note. This registry key is normally used by BitLocker to display a custom message to users when their assets are protected with BitLocker and a recovery key is required to entered before the system can boot.
Opportunities for Extending the Attack Graph
In addition to this new attack graph, there are additional stand-alone scenarios that can be added to the attack graph or as part of a separate assessment if customers have the appropriate environments.
Log4Shell (CVE-2021-44228) Signature-Based Web Requests (multiple payloads)
Log4Shell (CVE-2021-44228) Signature-Based Web Request – VMWare Horizon
These scenarios can be used to test Intrusion Prevention Systems (IPS) and Web Application Firewalls (WAF) against different implementations of the Log4Shell vulnerability. A webserver that has a Log4J component is required to be set in the configuration.
ProxyShell Exploit (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207)
This scenario attempts to exploit the ProxyShell series of vulnerabilities against a remote Exchange server. An Exchange server with EWS is required to be set in the configuration.
Detection and Mitigation Opportunities
With so many different techniques being utilized by threat actors, it can be difficult to know which to prioritize for prevention and detection opportunities. AttackIQ recommends first focusing on the following techniques emulated in our scenarios before moving on to the remaining techniques.
1. Scheduled Task/Job: Scheduled Task (T1053.005):
Typically, after initial access of a compromised endpoint, threat actors typically create a form of persistence to maintain access in a more reliable fashion. This threat actor specifically has been observed creating Scheduled Tasks titled “CacheTask” which will establish a Plink tunnel back to the adversary’s device.
With an EDR or SIEM product, you can utilize custom queries and detections to alert when non authorized/ unexpected users attempt to create a scheduled task. Although this is a benign windows feature, visibility of users utilizing this feature could lead to earlier detections of malicious entities in your environment.
Process Name = (“cmd.exe” OR “Powershell.exe”) Command Line CONTAINS (“schtasks” AND “/CREATE” AND “CacheTask” AND (“cmd” OR “powershell” OR “plink”))
MITRE ATT&CK Recommends the following mitigations for Scheduled Task/Job: Scheduled Task (T1053.005):
2. Impair Defenses: Disable or Modify System Firewall (T1562.004):
Lateral Movement is a key component for threat actors post compromise. These adversaries have been observed utilizing tools such as netsh to modify system firewalls to allow local and remote access to Remote Desktop Protocol (RDP) to ensure that they can pivot around in the network.
Using an EDR or SIEM product, you can utilize custom queries and detections to alert when non authorized/ unexpected users attempt to modify system firewalls in the environment.
Process Name = (“cmd.exe” OR “Powershell.exe”) Command Line CONTAINS (“netsh advfirewall” AND “localport=3389” AND “action=allow”)
MITRE ATT&CK Recommends the following mitigations for Impair Defenses: Disable or Modify System Firewall (T1562.004):
3. Create Account: Local Account (T1136.001):
Post compromise, this threat actor has been observed creating accounts on the compromised local machines so they can upgrade shell access to full GUI RDP access.
With an EDR or SIEM product, you can utilize custom queries and detections to alert when non authorized/ unexpected users attempt to create a user account on the local machine. Although this is a benign windows feature, visibility of users utilizing this feature could lead to earlier detections of malicious entities in your environment.
Process Name = (“cmd.exe” OR “Powershell.exe”) Command Line CONTAINS (“net user” AND “/add” AND “Default01”)
MITRE ATT&CK Recommends the following mitigations for Create Account: Local Account (T1136.001):
In summary, this attack graph will evaluate security and incident response processes and support the improvement of your security control posture against an actor who doesn’t need malware to achieve their goals. With data generated from continuous testing and use of this attack graph, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness against a known and dangerous threat.
AttackIQ stands at the ready to help security teams implement this attack graph and other aspects of the AttackIQ Security Optimization Platform, including through our co-managed security service, AttackIQ Vanguard.