Iranian Islamic Revolutionary Guard Corps-Affiliated Cyber Actors Exploiting Vulnerabilities for Data Extortion and Disk Encryption for Ransom Operations | CISA

MITRE Techniques

• [T1583] Acquire Infrastructure – The IRGC-affiliated actors have used the following malicious and legitimate tools for a variety of tactics across the enterprise spectrum, including Fast Reverse Proxy (FRP) for C2, Plink for C2, RDP for lateral movement, BitLocker for data encryption, and SoftPerfect Network Scanner for system network configuration discovery. “The IRGC-affiliated actors have used the following malicious and legitimate tools [T1588.001, T1588.002] for a variety of tactics across the enterprise spectrum.”
• [T1190] Exploit Public-Facing Application – The actors gained initial access by exploiting known Fortinet FortiOS and Microsoft Exchange vulnerabilities and observed Log4j vulnerabilities for initial access. “exploiting known Fortinet FortiOS and Microsoft Exchange server vulnerabilities since early 2021 to gain initial access” and “exploiting VMware Horizon Log4j vulnerabilities for initial access.”
• [T1053.005] Scheduled Task – The actors may have modified the Task Scheduler, with tasks like Wininet, WinLogon, and CacheTask potentially associated with the activity. “The IRGC-affiliated actors may have made modifications to the Task Scheduler [T1053.005].”
• [T1136.001] Create Account – The actors established new user accounts on domain controllers, servers, workstations, and Active Directory, including Domain Admin, it_admin, DefaultAccount, etc. “The IRGC-affiliated actors established new user accounts on domain controllers, servers, workstations, and active directories [T1136.001, T1136.002].”
• [T1003.001] LSASS Memory – The actors dumped and exfiltrated LSASS memory for credential harvesting. “dumping and subsequently exfiltrating the Local Security Authority Subsystem Service (LSASS) process memory … for credential harvesting.”
• [T1486] Data Encrypted for Impact – The actors encrypted data by forcing BitLocker activation and held decryption keys for ransom. “forced BitLocker activation on host networks to encrypt data [T1486] and held the decryption keys for ransom.”
• [T1016] System Network Configuration Discovery – SoftPerfect Network Scanner was used to discover network configuration. “SoftPerfect Network Scanner for system network configuration discovery.”
• [T1021.001] Remote Desktop Protocol – RDP used for lateral movement within networks. “Remote Desktop Protocol (RDP) for lateral movement.”