-
Notifications
You must be signed in to change notification settings - Fork 453
Expand file tree
/
Copy pathcisa_aa22_320a.yml
More file actions
19 lines (19 loc) · 1.49 KB
/
cisa_aa22_320a.yml
File metadata and controls
19 lines (19 loc) · 1.49 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
name: CISA AA22-320A
id: c1fca73d-3a8d-49a6-b9c0-1d5d155f7dd4
version: 1
date: '2022-11-16'
author: Michael Haag, Splunk
status: production
description: CISA and the FBI have identified an APT activity where the adversary gained initial access via Log4Shell via a unpatched VMware Horizon server. From there the adversary moved laterally and continued to its objective.
narrative: From mid-June through mid-July 2022, CISA conducted an incident response engagement at a Federal Civilian Executive Branch (FCEB) organization where CISA observed suspected advanced persistent threat (APT) activity. In the course of incident response activities, CISA determined that cyber threat actors exploited the Log4Shell vulnerability in an unpatched VMware Horizon server, installed XMRig crypto mining software, moved laterally to the domain controller (DC), compromised credentials, and then implanted Ngrok reverse proxies on several hosts to maintain persistence. CISA and the Federal Bureau of Investigation (FBI) assess that the FCEB network was compromised by Iranian government-sponsored APT actors.
references:
- https://www.cisa.gov/uscert/ncas/alerts/aa22-320a
- https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf
tags:
category:
- Adversary Tactics
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
usecase: Advanced Threat Detection