Threats Feed|Unknown|Last Updated 18/09/2023|AuthorCertfa Radar|Publish Date25/11/2022

Iranian APTs Exploit Log4Shell to Compromise FCEB Network

  • Actor Motivations: Espionage,Exfiltration,Financial Gain
  • Attack Vectors: Compromised Credentials,Vulnerability Exploitation,Cryptojacking,Malware
  • Attack Complexity: Medium
  • Threat Risk: High Impact/Low Probability

Threat Overview

In April 2022, CISA detected Iranian government-sponsored APT activity compromising an FCEB organization's network via the Log4Shell vulnerability. Initial exploitation targeted an unpatched VMware Horizon server, later spreading to the domain controller. The threat actors utilized PowerShell commands, disabled Windows Defender, and established persistence through scheduled tasks. Tools like Mimikatz and Ngrok were deployed for credential harvesting and C2 communication. Despite attempts to dump the LSASS process, additional anti-virus measures thwarted this activity. Lateral movement was observed, as were activities aimed at credential and account manipulation.

Detected Targets

TypeDescriptionConfidence
SectorGovernment Agencies and Services
High
RegionUnited States
Verified

Extracted IOCs

  • transfer[.]sh
  • us-nation-ny[.]cf
  • 043c46095689123e1f5be96c109c2f46
  • 077af14197899077aa36d2c72ba1773f
  • 08362d1269d5a5ef4e7560cab993590d
  • 0c0195c48b6b8582fa6f6373032118da
  • 1002ff0ee92dc9b20d657e288433200f
  • 18f65216c5666a43cad3f4bbe2f84486
  • 1c3d5bb2285dafcf3b7746bf717c1a51
  • 2943cf44463ce8f9a5a567b87f79ed9e
  • 323dedb863a77ca5f641649f5058c8b8
  • 325b24832a46de54de997ee69f8069ca
  • 37f2cc0358c95f8e74ff8bcc41861dd5
  • 409bf3f918f2402291cb56c2e9354b47
  • 4d947b502bae40e04fbab25f099dece1
  • 5459c1fdb222b651d36692c4ca5df895
  • 6b8d058db910487ff90fe39e1dcd93b8
  • 7f889bd1211726b944da89c3fa249052
  • 910350d4f72b7b25f4fbecfc08d815cd
  • 960129d9cf14c368fc1ddf46dea96f0a
  • 9d77890e82e946393d0907b5e44219b1
  • a38db173e6ebe8ed8f22f33ffa004325
  • a5f7ed40314674630401fea1c744ef7d
  • a83dcac6012f92ddb97471e34f4ae19c
  • b48f98951d4fc6e61ed06147029713ba
  • ba375d2de342e7d7a93487a35ea5d36d
  • c14f9aad5e95192cd7523ba6675549fd
  • c87ace5902b9768e6ed8534609bf51f2
  • cdb933128453430bcb33f5836ea587ae
  • f0cf1d3d9ed23166ff6c1f3deece19b4
  • 0663d70411a20340f184ae3b47138b33ac398c800920e4d976ae609b60522b01
  • 11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5
  • 2ffe6509d965413d20ae859a4b4878246119159c368c945a7b466435b4e6e6df
  • 673ebada19e044b1ddb88155ad99188ba403cbb413868877b3ce0af11617bcfb
  • b511c0f45d2a1def0985fa631d1a6df5f754bc7c5f53105cc97c247b97ff0f56
  • 144[.]76.136.153
  • 182[.]54.217.2
  • 51[.]89.181.64
  • 182[.]54.217.2/mdepoy[.]txt
download

Tip: 39 related IOCs (3 IP, 2 domain, 1 URL, 0 email, 33 file hash) to this threat have been found.

Overlaps

TunnelVisionTunnelVision Exploits 1-Day Vulnerabilities to Unleash Ransomware

Source: SentinelLabs - February 2022

Detection (one case): 182[.]54.217.2

Memento TeamMemento Team's Innovative Ransomware Strategy: Bypassing Encryption Detection

Source: Sophos - November 2021

Detection (one case): transfer[.]sh

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.