An official website of the United States government Here’s how you know
Actions to take today to protect against ransom operations:
• Keep systems and software updated and prioritize remediating known exploited vulnerabilities.
• Enforce MFA.
• Make offline backups of your data.
This joint Cybersecurity Advisory (CSA) is the result of an analytic effort among the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), U.S. Cyber Command (USCC) – Cyber National Mission Force (CNMF), the Department of the Treasury (Treasury), the Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), and the United Kingdom’s National Cyber Security Centre (NCSC) to highlight continued malicious cyber activity by advanced persistent threat (APT) actors that the authoring agencies assess are affiliated with the Iranian Government’s Islamic Revolutionary Guard Corps (IRGC). Note: The IRGC is an Iranian Government agency tasked with defending the Iranian Regime from perceived internal and external threats. Hereafter, this advisory refers to all the coauthors of this advisory as “the authoring agencies.”
This advisory updates joint CSA Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities, which provides information on these Iranian government-sponsored APT actors exploiting known Fortinet and Microsoft Exchange vulnerabilities to gain initial access to a broad range of targeted entities in furtherance of malicious activities, including ransom operations. The authoring agencies now judge these actors are an APT group affiliated with the IRGC.
Since the initial reporting of this activity in the FBI Liaison Alert System (FLASH) report APT Actors Exploiting Fortinet Vulnerabilities to Gain Access for Malicious Activity from May 2021, the authoring agencies have continued to observe these IRGC-affiliated actors exploiting known vulnerabilities for initial access. In addition to exploiting Fortinet and Microsoft Exchange vulnerabilities, the authoring agencies have observed these APT actors exploiting VMware Horizon Log4j vulnerabilities for initial access. The IRGC-affiliated actors have used this access for follow-on activity, including disk encryption and data extortion, to support ransom operations.
The IRGC-affiliated actors are actively targeting a broad range of entities, including entities across multiple U.S. critical infrastructure sectors as well as Australian, Canadian, and United Kingdom organizations. These actors often operate under the auspices of Najee Technology Hooshmand Fater LLC, based in Karaj, Iran, and Afkar System Yazd Company, based in Yazd, Iran. The authoring agencies assess the actors are exploiting known vulnerabilities on unprotected networks rather than targeting specific targeted entities or sectors.
This advisory provides observed tactics, techniques, and indicators of compromise (IOCs) that the authoring agencies assess are likely associated with this IRGC-affiliated APT. The authoring agencies urge organizations, especially critical infrastructure organizations, to apply the recommendations listed in the Mitigations section of this advisory to mitigate risk of compromise from these IRGC-affiliated cyber actors.
For a downloadable copy of IOCs, see AA22-257A.stix.
For more information on Iranian state-sponsored malicious cyber activity, see CISA’s Iran Cyber Threat Overview and Advisories webpage and FBI’s Iran Threat webpage.
Download the PDF version of this report: pdf, 836 kb
As reported in joint CSA Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities, the authoring agencies have observed Iranian government-sponsored APT actors scanning for and/or exploiting the following known Fortinet FortiOS and Microsoft Exchange server vulnerabilities since early 2021 to gain initial access to a broad range of targeted entities: CVE-2018-13379, CVE-2020-12812, CVE-2019-5591, and CVE-2021-34473 (a ProxyShell vulnerability). The authoring agencies have also observed these APT actors leveraging CVE-2021-34473 against U.S. networks in combination with ProxyShell vulnerabilities CVE-2021-34523 and CVE-2021-31207. The NCSC judges that Yazd, Iran-based company Afkar System Yazd Company is actively targeting UK organizations. Additionally, ACSC judges that these APT actors have used CVE-2021-34473 in Australia to gain access to systems. The APT actors can leverage this access for further malicious activities, including deployment of tools to support ransom and extortion operations, and data exfiltration.
Since the activity was reported in 2021, these IRGC-affiliated actors have continued to exploit known vulnerabilities for initial access. In addition to exploiting Fortinet and Microsoft Exchange vulnerabilities, the authoring agencies have observed these APT actors exploiting VMware Horizon Log4j vulnerabilities CVE-2021-44228 (“Log4Shell”), CVE-2021-45046, and CVE-2021-45105 for initial access.
The IRGC-affiliated actors have used their access for ransom operations, including disk encryption and extortion efforts. After gaining access to a network, the IRGC-affiliated actors likely determine a course of action based on their perceived value of the data. Depending on the perceived value, the actors may encrypt data for ransom and/or exfiltrate data. The actors may sell the data or use the exfiltrated data in extortion operations or “double extortion” ransom operations where a threat actor uses a combination of encryption and data theft to pressure targeted entities to pay ransom demands.
IRGC-affiliated actor activity observed by the authoring agencies includes:
Note: This advisory uses the MITRE ATT&CK for Enterprise framework, version 11. See Appendix B for a table of the MITRE ATT&CK tactics and techniques observed.
The authoring agencies assess the following tactics and techniques are associated with this activity.
The IRGC-affiliated actors have used the following malicious and legitimate tools [T1588.001, T1588.002] for a variety of tactics across the enterprise spectrum:
Note: For additional tools used by these IRGC-affiliated cyber actors, see joint CSA Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities.
As stated in the Technical Details section previously reported in joint CSA Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities, the IRGC-affiliated actors gained initial access by exploiting known vulnerabilities [T1190].
The following IOCs, observed as of March 2022, are indicative of ProxyShell vulnerability exploitation on targeted entity networks:
The following IOCs, observed as of December 2021, are indicative of Log4j vulnerability exploitation on targeted entity networks:
The IRGC-affiliated actors may have made modifications to the Task Scheduler [T1053.005]. These modifications may display as unrecognized scheduled tasks or actions. Specifically, the below established tasks may be associated with this activity:
Note: The potential exists that tasks associated with CacheTask or Wininet may be legitimate. For additional tasks used by these IRGC-affiliated cyber actors, see joint CSA Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities.
The IRGC-affiliated actors established new user accounts on domain controllers, servers, workstations, and active directories [T1136.001, T1136.002]. The actors enabled a built-in Windows account (DefaultAccount) and escalated privileges to gain administrator-level access to a network. Some of these accounts appear to have been created to look similar to other existing accounts on the network, so specific account names may vary per organization. In addition to unrecognized user accounts or accounts established to masquerade as existing accounts, the following account usernames may be associated with this activity:
Note: For additional account usernames associated with this activity, see joint CSA Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities.
The authoring agencies have observed the IRGC-affiliated actors dumping and subsequently exfiltrating the Local Security Authority Subsystem Service (LSASS) process memory on targeted entity networks in furtherance of credential harvesting. The following IOCs are associated with data exfiltration from targeted entity networks:
The IRGC-affiliated actors forced BitLocker activation on host networks to encrypt data [T1486] and held the decryption keys for ransom. The corresponding ransom notes were sent to the targeted entity, left on the targeted entity network as a
Note: For additional contact information included in ransom notes, see joint CSA Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities.
The authoring agencies recommend that organizations using Microsoft Exchange servers, Fortinet devices, and/or VMware Horizon applications investigate potential suspicious activity in their networks.
Note: For additional approaches on uncovering malicious cyber activity, see joint advisory Technical Approaches to Uncovering and Remediating Malicious Activity, authored by CISA and the cybersecurity authorities of Australia, Canada, New Zealand, and the United Kingdom.
The authoring agencies urge network defenders to prepare for and mitigate potential cyber threats immediately by implementing the mitigations below.
In addition to applying mitigations, the authoring agencies recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. The authoring agencies recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.
To get started:
The authoring agencies recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.
If a ransomware or extortion incident occurs at your organization:
Note: The authoring agencies strongly discourage paying ransoms as doing so does not guarantee files and records will be recovered and may pose sanctions risks.
This advisory was developed by U.S., Australian, Canadian, and UK cybersecurity authorities in furtherance of their respective cybersecurity missions, including their responsibilities to develop and issue cybersecurity specifications and mitigations.
The information in this report is being provided “as is” for informational purposes only. FBI, CISA, NSA, USCC-CNMF, DoT, ACSC, CCCS, and NCSC do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring.
IP addresses and executables files are listed below. For a downloadable copy of IOCs, see AA22- 257A.stix.
Note: Some of these observed IP addresses may be outdated. The authoring agencies recommend organizations investigate or vet these IP addresses prior to taking action, such as blocking.
Malicious files observed in this activity are identified in Table 1. Many of the below malicious files are masquerading as legitimate Windows files; therefore, file names alone should not be treated as an indicator of compromise. Note: For additional malicious files observed, see joint CSA Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities.
Filename:
Wininet[.]xml
Path:
C:WindowsTempwininet[.]xml
MD5:
d2f4647a3749d30a35d5a8faff41765e
SHA-1:
0f676bc786db3c44cac4d2d22070fb514b4cb64c
SHA-256:
559d4abe3a6f6c93fc9eae24672a49781af140c43d491a757c8e975507b4032e
Filename:
Wininet’[.]xml
MD5:
2e1e17a443dc713f13f45a9646fc2179
SHA-1:
e75bfc0dd779d9d8ac02798b090989c2f95850dc
Filename:
WinLogon[.]xml
Path:
C:WindowsTempWinLogon[.]xml
MD5:
49c71178fa212012d710f11a0e6d1a30
SHA-1:
226f0fbb80f7a061947c982ccf33ad65ac03280f
SHA-256:
bcc2e4d96e7418a85509382df6609ec9a53b3805effb7ddaed093bdaf949b6ea
Filename:
Wininet[.]bat
Path:
C:Windowswininet[.]bat
MD5:
5f098b55f94f5a448ca28904a57c0e58
SHA-1:
27102b416ef5df186bd8b35190c2a4cc4e2fbf37
SHA-256:
668ec78916bab79e707dc99fdecfa10f3c87ee36d4dee6e3502d1f5663a428a0
Filename:
Winlogon[.]bat
Path:
C:Windowswinlogon[.]bat
MD5:
7ac4633bf064ebba9666581b776c548f
SHA-1:
524443dd226173d8ba458133b0a4084a172393ef
SHA-256:
d14d546070afda086a1c7166eaafd9347a15a32e6be6d5d029064bfa9ecdede7
Filename:
CacheTask[.]bat
Path:
C:\ProgramDataMicrosoftCacheTask[.]bat
MD5:
ee8fd6c565254fe55a104e67cf33eaea
SHA-1:
24ed561a1ddbecd170acf1797723e5d3c51c2f5d
SHA-256:
c1723fcad56a7f18562d14ff7a1f030191ad61cd4c44ea2b04ad57a7eb5e2837
Filename:
Task_update[.]exe
Path:
C:WindowsTemptask_update[.]exe
MD5:
cacb64bdf648444e66c82f5ce61caf4b
SHA-1:
3a6431169073d61748829c31a9da29123dd61da8
SHA-256:
12c6da07da24edba13650cd324b2ad04d0a0526bb4e853dee03c094075ff6d1a
Filename:
Task[.]exe
MD5:
5b646edb1deb6396082b214a1d93691b
SHA-1:
763ca462b2e9821697e63aa48a1734b10d3765ee
SHA-256:
17e95ecc7fedcf03c4a5e97317cfac166b337288562db0095ccd24243a93592f
Filename:
dllhost[.]exe
Path:
C:Windowsdllhost[.]exe
MD5:
0f8b592126cc2be0e9967d21c40806bc
9a3703f9c532ae2ec3025840fa449d4e
SHA-1:
3da45558d8098eb41ed7db5115af5a2c6 1c543af
8ece87086e8b5aba0d1cc4ec3804bf74e 0b45bee
SHA-256:
724d54971c0bba8ff32aeb6044d3b3fd57 1b13a4c19cada015ea4bcab30cae26
1604e69d17c0f26182a3e3ff65694a4945
0aafd56a7e8b21697a932409dfd81e
Filename:
svchost[.]exe
Path:
C:Windowssvchost[.]exe
MD5:
68f58e442fba50b02130eedfc5fe4e5b
298d41f01009c6d6240bc2dc7b769205
SHA-1:
76dd6560782b13af3f44286483e157848
efc0a4e
6ca62f4244994b5fbb8a46bdfe62aa1c95 8cebbd
SHA-256:
b04b97e7431925097b3ca4841b894139 7b0b88796da512986327ff66426544ca
8aa3530540ba023fb29550643beb00c9c 29f81780056e02c5a0d02a1797b9cd9
Filename:
User[.]exe
Path:
C:WindowsTempuser[.]exe
MD5:
bd131ebfc44025a708575587afeebbf3
f0be699c8aafc41b25a8fc0974cc4582
SHA-1:
8b23b14d8ec4712734a5f6261aed40942 c9e0f68
6bae2d45bbd8c4b0a59ba08892692fe86 e596154
SHA-256:
b8a472f219658a28556bab4d6d109fdf3 433b5233a765084c70214c973becbbd
7b5fbbd90eab5bee6f3c25aa3c2762104 e219f96501ad6a4463e25e6001eb00b
Filename:
Setup[.]bat
Path:
C:UsersDefaultAccountDesktopNew foldersetup[.]bat
MD5:
7fdc2d007ef0c1946f1f637b87f81590
Filename:
Ssasl[.]pmd
Path:
C:WindowsTempssasl[.]pmd
Filename:
Ssasl[.]zip
Path:
C:WindowsTempssasl[.]zip
Filename:
netscanold[.]exe
Path:
C:UsersDefaultAccountDesktopnetscanoldnetscanold[.]exe
Filename:
scan[.]csv
Path:
C:UsersDefaultAccountDesktopscan[.]csv
Filename:
lsass[.]dmp
Path:
C:UsersDefaultAccountAppDataLocalTemplsass[.]dmp
Filename:
lsass[.]zip
Path:
C:UsersDefaultAccountAppDataLocalTemplsass[.]zip
Table 2 identifies MITRE ATT&CK Tactics and techniques observed in this activity.
Tactic
Technique
Resource Development ]TA0042]
Obtain Capabilities: Malware [T1588.001]
Obtain Capabilities: Tool [T1588.002]
Initial Access [TA0001]
Exploit Public-Facing Application [T1190]
Execution [TA0002]
Scheduled Task/Job: Scheduled Task [T1053.005]
Persistence [TA0003]
Create Account: Local Account [T1136.001]
Create Account: Domain Account [T1136.002]
Privilege Escalation [TA0004]
Credential Access [TA0006]
Collection [TA0009]
Archive Collected Data: Archive via Utility [T1560.001]
Exfiltration [TA0010]
Impact [TA0040]
Data Encrypted for Impact [T1486]
This product is provided subject to this Notification and this Privacy & Use policy.
Please share your thoughts.
We recently updated our anonymous product survey; we’d welcome your feedback.
(888)282-0870
Send us email
Download PGP/GPG keys
Submit website feedback
Receive security alerts, tips, and other updates.
CISA is part of the Department of Homeland Security