Iranian State Actors Conduct Cyber Operations Against the Government of Albania | CISA

MITRE Techniques

• [T1190] Exploit Public-Facing Application – Initial access obtained via exploitation of an Internet-facing SharePoint, exploiting CVE-2019-0604. “Initial access was obtained via exploitation of an Internet-facing Microsoft SharePoint, exploiting CVE-2019-0604.”
• [T1505.003] Web Shell – Persistence via web shells; “the actors used several .aspx webshells, pickers.aspx, error4.aspx, and ClientBin.aspx, to maintain persistence.”
• [T1021] Remote Services – Lateral movement using RDP (primarily), SMB, and FTP. “During this timeframe, the actors also used RDP (primarily), SMB, and FTP for lateral movement throughout the victim environment.”
• [T1136] Create Account – Exchange account creation as a privileged user. “the compromised account to create a new Exchange account and add it to the Organization Management role group.”
• [T1114] Email Collection – Mailbox searches and data exposure via Exchange; data transfer observed. “Searches on various mailboxes … The FBI observed the client transferring roughly 70-160 MB of data, and the server transferring roughly 3-20 GB of data.”
• [T1033] Credential Dumping (via Mimikatz) – Credential access through credential dumping tools. “Mimikatz usage and LSASS dumping.”
• [T1562.001] Disable or Modify Tools – Impair defenses by disabling Windows Defender. “Disable Defender” components and registry changes observed.
• [T1486] Data Encrypted for Impact – Encrypting files with GoXML.exe and leaving ransom notes. “GoXML.exe encrypted all files … leaving behind a ransom note titled How_To_Unlock_MyFiles.txt.”
• [T1485] Data Destruction – Disk wipe operations using cl.exe and rwdsk.sys. “Disk Wiper tool (cl.exe) … raw disk drives being wiped.”
• [T1133] External Remote Services – Use of VPN and compromised VPN accounts to access the victim network. “Approximately twelve months after initial access … connections to IP addresses belonging to the victim organization’s VPN appliance.”