Threat Signal Report

Joint CyberSecurity Alert (AA22-264A) Iranian Threat Actors Targeting Albania

description-logo Description

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) today released a joint Cybersecurity Advisory that highlights recent campaigns targeting the Government of Albania in July and September of this year.


Attacks have been attributed to threat actors named "HomeLand Justice" and their modus operandi appears to be disruption (rendering services offline) and destruction (wiping of disk drives and ransomware style encryption). It was observed that the threat actors also maintained persistence for over a year before these attacks were carried out. Other observed attacks were the exfiltration of data such as email, credentials and lateral movement. The attacks have been attributed to the government of Iran.


What are the Technical Details of this Attack?

Per the Joint Advisory, the threat actors used CVE-2019-0604, which is a vulnerability in Microsoft SharePoint (public facing) to obtain initial access. The threat actor used several webshells to establish and maintain persistence. Persistence and lateral movement were then established after compromise for several months before campaign activity began.


Other observations were the usage of Remote Desktop Protocol (RDP), Server Message Block (SMB) and File Transfer Protocol (FTP) to maintain access. Once this was established, the attackers then moved on and compromised the targets Microsoft Exchange servers (further details are unknown) to create a rogue Exchange account to allow for further privilege escalation via the addition of an Organization Management role. Exfiltration and compromise of the Exchange server occurred over 6-8 months where roughly 20GB of data was exfiltrated. The attackers also leveraged VPN access, using compromised accounts, where Advanced port scanner, Mimikatz and LSASS tools were used. To cap off the campaign, the threat actors finally used a file cryptor via the victim's print server via RDP which would then propagate the file cryptor internally. This targeted specific file extensions, and after encryption, leaving a note behind. Furthering damage and adding insult to injury, hours after encryption took place, the threat actor will kick off another final devastating attack. The wiping of targeted disk drives.


Is this Attack Widespread?

No. Attacks are targeted and limited in scope.


Any Suggested Mitigation?

Due to the complexity and sophistication of the attack, FortiGuard Labs recommends that all AV and IPS signatures, (including but not limited to) the update and patching of all known vulnerabilities within an environment are addressed as soon as possible. Also, providing awareness and situational training for personnel to identify potential social engineering attacks via spearphishing, SMShing, and other social engineering attacks that could allow an adversary to establish initial access into a targeted environment is recommended.


What is the Status of Coverage?

For publically available samples, customers running the latest AV definitions are protected by the following signatures:


BAT/BATRUNGOXML.VSNW0CI22!tr

W32/Filecoder.OLZ!tr.ransom

W32/GenCBL.BUN!tr

W32/PossibleThreat

Riskware/Disabler.B


Definitions

Traffic Light Protocol

Color When Should it Be used? How may it be shared?

TLP: RED

Not for disclosure, restricted to participants only.
Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused. Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.

TLP: AMBER

Limited disclosure, restricted to participants’ organizations.
Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.

TLP: GREEN

Limited disclosure, restricted to the community.
Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.

TLP: WHITE

Disclosure is not limited.
Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.