Attack Graph Response to CISA Advisory AA23-250A: Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475

AttackIQ has released a new attack graph in response to the recently published CISA Advisory (AA23-250A) that seeks to emulate the activities carried out by multiple nation-state threat actors at an Aeronautical Sector organization as early as January 2023. Read More

On September 7, 2023, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and Cyber National Mission Force (CNMF), released a joint Cybersecurity Advisory (CSA) in response to multiple nation-state threat actors observed to have been exploiting CVE-2022-47966 and CVE-2022-42475.

An impacted organization in the aeronautical sector reached out to CISA to conduct an incident response engagement from February to April 2023. During this time, it was discovered that multiple nation-state Advanced Persistent Threat (APT) adversaries were present on the organization’s network and may have had access as early as January 2023. During the investigation, at least two initial access vectors were discovered:

  1. APT actors accessed a web server hosting Zoho ManageEngine ServiceDesk Plus by exploiting CVE-2022-47966.
  2. APT actors accessed the organization’s firewall device by exploiting CVE-2022-42475.

Multiple APT actor activity which included overlapping TTPs was also discovered as part of the investigation. The usage of web shells, Metasploit, Mimikatz, and Ngrok, were observed which enabled the actors to setup persistence, move laterally, and dump passwords and hashes from compromised hosts.

AttackIQ has released a new attack graph in response to the recently published CISA Advisory (AA23-250A) that aims to emulate the activities carried out by these adversaries to help customers validate their security controls and their ability to defend against similar exploitation.

Validating your security program performance against these behaviors is vital in reducing risk. By using this new attack graph in the AttackIQ Security Optimization Platform, security teams will be able to:

  • Evaluate security control performance against exploitation of well-known publicly available vulnerabilities.
  • Assess your security posture against post-exploitation activities carried out by these adversaries.
  • Continually validate detection and prevention pipelines against highly skilled and well-resourced adversaries.

[CISA AA23-250A] Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475

(Click for Larger)

On September 7, 2023, the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Cyber National Mission Force (CNMF) released a joint Cybersecurity Advisory (CSA) detailing the identification of Indicators of Compromise (IOCs) present at an Aeronautical Sector organization as early as January 2023.

CISA confirmed that a Nation-state Advanced Persistent Threat (APT) adversary exploited CVE-2022-47966 to gain unauthorized access to a public-facing application (Zoho ManageEngine ServiceDesk Plus). Additional adversaries were also observed exploiting CVE-2022-42475 to establish presence on the organization’s firewall device (FortiOS SSL-VPN).

(Click for Larger)

This stage begins immediately after the exploitation of the CVE-2022-47966 vulnerability in Zoho ManageEngine ServiceDesk Plus.

First, an account named “Azure” is created with administrator privileges which is then followed by a dump of the Local Security Authority Subsystem Service (LSASS) process. Subsequently, using Mimikatz, the adversary will attempt to obtain Windows credentials and culminate these activities with the dumping of the SAM, SYSTEM, and SECURITY Registry hives.

Create Account: Local Account (T1136.001): This scenario creates an account with the name Azure by using net user.

OS Credential Dumping: LSASS Memory (T1003.001): LSASS memory is dumped to disk by creating a minidump of the lsass process. This process is used for enforcing security policy on the system and contains many privileged tokens and accounts that are targeted by threat actors.

Ingress Tool Transfer (T1105): This scenario downloads to memory and saves to disk in two separate scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious payloads.

OS Credential Dumping (T1003): This scenario uses the Mimikatz tool to dump all possible credentials available on the host.

OS Credential Dumping: Security Account Manager (T1003.002): The built-in reg save command is executed to dump the Windows SAM, SYSTEM, and SECURITY hive.

(Click for Larger)

In this stage, network discovery activities are performed, starting with the discovery of open ports associated with the Remote Desktop Protocol (RDP), Lightweight Directory Access Protocol (LDAP) and Server Message Block (SMB) protocols.

Then, activities such as network sniffing and the identification of remote desktop sessions via query user will be conducted. Finally, the adversary will seek to obtain persistence by establishing Secure Shell (SSH) communications and will create an RDP session as a fallback channel.

Network Service Discovery (T1046): This scenario uses nmap for scanning hosts that are open on ports 139, 389, 445, 636, and 3389 that would identify remotely accessible hosts to the attacker.

Network Sniffing (T1040): This scenario uses the netsh.exe trace utility to capture network trace data.

System Owner/User Discovery (T1033): Executes the native query user command to receive details of the running user account.

Remote Services: SSH (T1021.004): This scenario will initiate an SSH connection to an external AttackIQ-hosted server to exercise restrictions in outbound traffic.

Remote Services: Remote Desktop Protocol (T1021.001): Remote Desktop is the built-in remote access utility used by Windows. This scenario attempts to remotely connect to another accessible asset with stolen credentials.

(Click for Larger)

In the third stage, the adversary used PsExec to create a Scheduled Task named “license validf“, in order to obtain persistence, and to force the saving of administrative credentials in plain text by enabling the Restricted Admin Mode through the registry.

Scheduled Task/Job: Scheduled Task (T1053.005): This scenario creates a new scheduled task using the schtasks utility.

Modify Registry (T1112): Enables Restricted Admin Mode for Remote Desktop access of the host by setting the DisableRestrictedAdmin registry value to 0.

(Click for Larger)

In the last stage of the attack, the adversary deploys the tool known as Metasploit, which is added as a new service named “QrrCvbrvnxasKTSb“. Then, it executes a PowerShell command with the WindowStyle parameter set to Hidden. Finally, an ASPX web shell is deployed, through which the adversary will be able to continue its activities.

Create or Modify System Process: Windows Service (T1543.003): Creates a new service called QrrCvbrvnxasKTSb using the native sc.exe utility.

Command and Scripting Interpreter: PowerShell (T1059.001): This scenario executes a benign PowerShell command which uses the Hidden window parameter.

Detection and Mitigation Opportunities

Given the vast number of techniques used by these adversaries, it can be difficult to know which to prioritize for prevention and detection assessment. AttackIQ recommends first focusing on the following techniques emulated in our scenarios before moving on to the remaining techniques.

1. Review CISA’s Patching and Detection Recommendations:

CISA has provided a significant number of recommendations for the best ways to defend yourself from these and similar attacks. AttackIQ strongly recommends reviewing the detection and mitigation recommendations with the goal of adapting them to your environment first to determine if you have any existing impact before reviewing the attack graph results.

2. OS Credential Dumping: LSASS Memory (T1003.001) and OS Credential Dumping: Security Account Manager (T1003.002):

Adversaries may attempt to extract user and credential information from the Local Security Authority Subsystem Service (LSASS) process, or from the Security Account Manager (SAM) database.

2a. Detection

Search for executions of comsvcs that attempt to access the LSASS process.

Process Name == (comsvcs)
Command Line CONTAINS (‘lsass’)

Search for executions of reg.exe attempting to save the SAM registry hive.

Process Name == (reg.exe)
Command Line CONTAINS (‘reg save hklm\sam C:\WINDOWS\TEMP\sam’)

2b. Mitigation

MITRE ATT&CK recommends the following mitigation recommendations:

Wrap-up

In summary, this attack graph will evaluate security and incident response processes and support the improvement of your security control posture against post-exploitation activities carried out by these adversaries. With data generated from continuous testing and use of this attack graph, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness against a known and dangerous threat.

AttackIQ stands at the ready to help security teams implement this attack graph and other aspects of the AttackIQ Security Optimization Platform, including through our fully managed service, AttackIQ Ready!, and our co-managed security service, AttackIQ Enterprise.