CISA and FBI Release Advisory on Iranian Government-Sponsored APT Actors Compromise Federal Network

The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) published a joint Cybersecurity Advisory (CSA) about suspected Iranian government-sponsored actors that compromised a federal civilian executive branch (FCEB) agency. The advisory, “Iranian Government-Sponsored APT Actors Compromise Federal Network, Deploy Crypto Miner, Credential Harvester” provides information on their tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help network defenders detect and protect against related compromises.

During an incident response at a federal agency, CISA determined the advanced persistent threat (APT) actors had exploited the Log4Shell vulnerability in unpatched VMware Horizon server on federal agency’s network for initial access. With access, the Iranian APT actors installed software and proxies that enabled them to move laterally, compromise credentials, and maintain persistence. This activity was first detected during routine, retrospective analysis using EINSTEIN, an FCEB-wide intrusion detection system (IDS) operated and monitored by CISA.

Organizations that suspect initial access or compromise is detected based on IOCs or TTPs are advised to assume lateral movement by threat actors and investigate connected systems and the domain controller (DC).

Some of the recommended mitigations include install updated builds to ensure affected VMware Horizon and Unified Access Gateway systems are updated to the latest version; keep all software up to date and prioritize patching known exploited vulnerabilities; and use best practices for identity and access management (IAM) by implementing multifactor authentication (MFA) and enforcing use of strong passwords.

In addition to applying mitigations, CISA and FBI recommend exercising, testing, and validating your organization's security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. Network defenders are recommended to test existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.

Your support to amplify this advisory through your communications and social media channels is appreciated. And as always, thank you for your continued collaboration.

Steve Lyddon
Protective Security Advisor, Region 5, Illinois
Cybersecurity & Infrastructure Security Agency
U.S. Department of Homeland Security
217-299-3954/ steven.lyddon@cisa.dhs.gov