Saturday, October 12, 2024
HomeCyber AttackU.S. Federal Network Hacked – Iranian APT Hackers Compromised Domain Controller

U.S. Federal Network Hacked – Iranian APT Hackers Compromised Domain Controller

Published on

Malware protection

Recently, the FBI and CISA published a joint advisory in which they disclosed an Iranian APT group compromised the Federal Civilian Executive Branch (FCEB) organization network Domain controller by exploiting the Log4Shell RCE flaw (CVE-2021-44228) to deploy XMRig crypto-mining malware and credential Harvester.

An Iranian APT Hacker group bypassed an unpatched VMware Horizon server which allowed them to compromise the federal network and maintained persistence within the network of the FCEB network with the help of reverse proxies.

CVE-2021-44228 (log4Shell) was a zero-day vulnerability in Log4j, a popular Java logging framework involving arbitrary code execution, and affects a wide range of products, including the VMware Horizon.

- Advertisement - SIEM as a Service

CISA observed the attackers attempting to dump the Local Security Authority Subsystem Service (LSASS) process with the task manager but this was stopped by additional anti-virus the FCEB organization had installed.

Exploiting Log4Shell Flaw

CISA discovered that bidirectional traffic was flowing between the network and an IP address that was known to be malicious. VMware Horizon servers are found to be vulnerable to the Log4Shell vulnerability which is associated with this known malicious IP address.

By exploiting the Log4Shell flaw threat actors installed XMRig crypto miner and then performed the following things:-

  • Laterally moved to the domain controller (DC)
  • Compromised credentials
  • Installed Ngrok reverse proxies

There are multiple threat actors, including state-sponsored hacking groups, who are still preying upon VMware Horizon and Unified Access Gateway (UAG) servers by exploiting the Log4Shell vulnerability.

The organization’s VMware server was being accessed via HTTPS from the following IP address:-

  • 51.89.181[.]64

However, later it was discovered that the LDAP server IP address had been used by the threat actors to deploy the Log4Shell vulnerability.

“Following HTTPS activity, CISA observed a suspected LDAP callback on port 443 to this IP address. CISA also observed a DNS query for us‐nation‐ny[.]cf that resolved back to 51.89.181[.]64 when the victim server was returning this Log4Shell LDAP callback to the actors’ server.” said in the CISA report.

A remote exploit of Log4Shell can allow attackers to access sensitive information by moving laterally across breached networks that expose vulnerable servers.

Technical Analysis

There were originally unpatched VMware Horizon servers deployed by the organization that was detected by Iranian APT threat actors as part of an APT attack. 

Afterward, the following malicious IP address was used by the threat actors to establish a connection, and this connection lasted for 17.6 seconds:-

  • 182.54.217[.]2

In the exploit payloads, the actors added an exclusion rule to Windows Defender, which was run by the following PowerShell command:-

powershell try{Add-MpPreference -ExclusionPath ‘C:\’; Write-Host ‘added-exclusion’} catch {Write-Host ‘adding-exclusion-failed’ }; powershell -enc “$BASE64 encoded payload to download next stage and execute it”

This exclusion rule allowed the listing of the entire drive c:/ on the exclusion list. By using this method, threat actors can download tools without being detected by virus scans to the c:/drive.

Following the download, a file.zip is extracted from 182.54.217[.]2, and once done with that, then from the disk, the mde.ps1 is removed.

Here below we have mentioned the file.zip contents:-

  • WinRing0x64.sys
  • wuacltservice.exe
  • config.json
  • RuntimeBroker.exe

Researchers uncovered that file.zip contained crypto-mining software once the researchers dug deep into the file. The following tools have also been downloaded from a server named transfer[.]sh in a volume of around 30 megabytes.

Here below we have mentioned the tools that are downloaded by the threat actors:-

  • PsExec: A Microsoft signed tool for system administrators.
  • Mimikatz: A credential theft tool.
  • Ngrok: A reverse proxy tool for proxying an internal service out onto a Ngrok domain.

After Mimikatz was executed on VDI-KMS, a rogue domain administrator account was created based on the credentials that were harvested. In order to propagate the newly created account to a variety of hosts within the network, the actors used RDP.

Here below we have mentioned the domains used by the threat actors:-

  • tunnel.us.ngrok[.]com
  • korgn.su.lennut[.]com
  • *.ngrok[.]com
  • *.ngrok[.]io
  • ngrok.*.tunnel[.]com
  • korgn.*.lennut[.]com

In order to gain a foothold in the network, threat actors had to perform the following PowerShell command on Active Directory:- 

  • Powershell.exe get-adcomputer -filter * -properties * | select name,operatingsystem,ipv4address >

While the primary purpose of this is to move laterally into the domain controller finally, threat actors have changed the local administrator password as a backup if the rogue domain admin access is detected and terminated.

Threat Actor Tactics and Techniques

Here is the complete attack TTPs used by APT hackers in the massive cyber attack.

  • Initial Access – Exploit Public – Facing Application – Actors exploited the Log4Shell bug on the VMware Horizon server
  • Execution – PowerShell, a Command and Scripting Interpreter – actors executed PowerShell on the AD to obtain a list of machines on the domain.
  • Persistence – Account Manipulation, Create Account: Local Account, Create Account: Domain Account, Scheduled Task/Job: Scheduled Task.
  • Evasion Detection – Impair Defenses: Disable or Modify Tools, Indicator Removal on Host: File Deletion.
  • Credential Access – OS Credential Dumping: LSASS Memory, Credentials from Password Stores.
  • Discovery – Remote System Discovery – PowerShell command on the AD to obtain a list of all machines.
  • Lateral Movement – Remote Services: Remote Desktop Protocol to gain access to multiple hosts on the network.
  • Command and Control – Ngrok to proxy RDP connections and to perform command and control.
  • Ingress Tool Transfer – downloaded malware and multiple tools to the network, including PsExec, Mimikatz, and Ngrok.

Mitigations

In order to mitigate the problem, CISA and FBI recommended the following measures:-

  • To ensure that all affected VMware Horizon and UAG systems have been updated to the most up-to-date version, install updated builds.
  • Updating all your software on a regular basis is essential.
  • Make sure that there is as little attack surface as possible facing the internet.
  • In order to manage identity and access effectively, it is important to follow best practices.
  • Ensure that domain controllers are audited to ensure that they are logging.
  • Identify all credentials that have been compromised and create a deny list for them.
  • Make sure that credentials are secured by restricting the use of accounts and credentials in certain places.

Validate Security Controls:

  1. Select an ATT&CK technique described in this advisory (see table 1).
  2. Align your security technologies against the technique.
  3. Test your technologies against the technique.
  4. Analyze your detection and prevention technologies’ performance.
  5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.
  6. Tune your security program, including people, processes, and technologies, based on the data generated by this process.

Penetration Testing As a Service – Download Red Team & Blue Team Workspace

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Threat Actor ProKYC Selling Tools To Bypass Two-Factor Authentication

Threat actors are leveraging a newly discovered deepfake tool, ProKYC, to bypass two-factor authentication...

Mozilla Warns Of Firefox Zero-Day Actively Exploited In Cyber Attacks

A critical use-after-free vulnerability affecting Firefox and Firefox Extended Support Release (ESR) is being...

SpyCloud Embeds Identity Analytics in Cybercrime Investigations Solution to Accelerate Insider and Supply Chain Risk Analysis & Threat Actor Attribution

IDLink, SpyCloud’s new automated digital identity correlation capability, is now core to its industry-leading...

Abusix and Red Sift Form New Partnership, Leveraging Automation to Mitigate Cyber Attacks

The agreement has marked over 600,000 fraudulent domains for takedown in just two months...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Threat Actor ProKYC Selling Tools To Bypass Two-Factor Authentication

Threat actors are leveraging a newly discovered deepfake tool, ProKYC, to bypass two-factor authentication...

Mozilla Warns Of Firefox Zero-Day Actively Exploited In Cyber Attacks

A critical use-after-free vulnerability affecting Firefox and Firefox Extended Support Release (ESR) is being...

Hackers Exploiting Zero-day Flaw in Qualcomm Chips to Attack Android Users

Hackers exploit a zero-day vulnerability found in Qualcomm chipsets, potentially affecting millions worldwide.The flaw,...