CyberWire Daily - CISA Alert AA22-320A – Iranian government-sponsored APT actors compromise federal network, deploy crypto miner, credential harvester. [CISA Cybersecurity Alerts]
Episode Date: November 16, 2022From mid-June through mid-July 2022, CISA conducted an incident response engagement at a Federal Civilian Executive Branch organization where CISA observed suspected advanced persistent threat activit...y. In the course of incident response activities, CISA determined that cyber threat actors exploited the Log4Shell vulnerability in an unpatched VMware Horizon server, installed XMRig crypto mining software, moved laterally to the domain controller, compromised credentials, and then implanted Ngrok reverse proxies on several hosts to maintain persistence. AA22-320A Alert, Technical Details, and Mitigations Malware Analysis Report MAR 10387061-1.v1 For more information on Iranian government-sponsored Iranian malicious cyber activity, see CISA’s Iran Cyber Threat Overview and Advisories webpage and FBI’s Iran Threats webpage. CISA offers several no-cost scanning and testing services to help organizations reduce their exposure to threats by taking a proactive approach to mitigating attack vectors. See www.cisa.gov/cyber-hygiene-services U.S. DIB sector organizations may consider signing up for the NSA Cybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain Name System services, vulnerability scanning, and threat intelligence collaboration for eligible organizations. For more information on how to enroll in these services, email dib_defense@cyber.nsa.gov To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at report@cisa.gov, or call (888) 282-0870, or report incidents to your local FBI field office. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Original release date, November 16, 2022 From mid-June through mid-July 2022, CISA conducted an incident response engagement at a federal civilian executive branch organization where CISA observed suspected APT activity.
In the course of incident response activities,
CISA determined that cyber threat actors exploited the log4shell vulnerability in an unpatched VMware Horizon server,
installing XMRig crypto mining software,
moved laterally to the domain controller,
compromised credentials,
and then implanted Ngrok reverse proxies on several hosts to maintain persistence.
CISA and the FBI assess that the network was compromised
by Iranian government-sponsored
APT actors. CISA and the FBI are releasing this alert to provide the suspected Iranian
government-sponsored actors' TTPs and indicators of compromise to help network defenders detect
and protect against related compromises. CISA and the FBI encourage all organizations with
VMware systems that did not immediately apply available patches or workarounds to assume compromise and initiate threat hunting activities.
If suspected initial access or compromise is detected based on IOCs or TTPs described in this alert, CISA and the FBI encourage organizations to assume lateral movement by threat actors, investigate connected systems and the domain controller, and audit privileged accounts.
All organizations, regardless of identified evidence of compromise, should apply the
recommendations in the mitigation section of this alert to protect against similar malicious cyber
activity. The alert documentation linked in the show notes includes additional technical details
related to this APT activity, indicators of compromise, TTPs, incident response recommendations,
and mitigation actions. To report incidents and anomalous activity or to request incident
response resources or technical assistance, contact CISA at report at cisa.gov or call
888-282-0870 or report incidents to your local FBI field office. This report was written by CISA,
the United States Cybersecurity and Infrastructure Security Agency, and edited and adapted for audio by the Cyber Wire as a public service.
Please visit www.cisa.gov to read the full report, which may include additional details, links, and illustrations.
A link to this report can be found in the show notes.
This has been a CISA Cybersecurity Alert.